Merge pull request #1082 from t-woerner/fix_pwpolicy_maxsequence_test

pwpolicy test: Fix maxsequence test

.ansible-lint

@@ -10,10 +10,17 @@ exclude_paths:
   - molecule/
   - tests/azure/
   - meta/runtime.yml
+  - requirements-docker.yml
+  - requirements-podman.yml
 
 kinds:
   - playbook: '**/tests/**/test_*.yml'
   - playbook: '**/playbooks/**/*.yml'
+  - playbook: '**/tests/ca-less/install_*_without_ca.yml'
+  - playbook: '**/tests/ca-less/clean_up_certificates.yml'
+  - playbook: '**/tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml'
+  - playbook: '**/tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml'
+  - playbook: '**/tests/user/create_users_json.yml'
   - tasks: '**/tasks_*.yml'
   - tasks: '**/env_*.yml'
 
@@ -26,6 +33,9 @@ skip_list:
   - '305'  # Use shell only when shell functionality is required
   - '306'  # risky-shell-pipe
   - yaml   # yamllint should be executed separately.
+  - experimental   # Do not run any experimental tests
+  - name[template] # Allow Jinja templating inside task names
+  - var-naming
 
 use_default_rules: true
 

.github/workflows/ansible-test.yml

@@ -8,7 +8,7 @@ jobs:
     name: Verify ansible-test sanity
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3.1.0
         with:
           fetch-depth: 0
       - name: Install virtualenv using pip

.github/workflows/docs.yml

@@ -4,42 +4,14 @@ on:
   - push
   - pull_request
 jobs:
-  check_docs_29:
-    name: Check Ansible Documentation with Ansible 2.9.
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.x'
-      - name: Install Ansible 2.9
-        run: |
-          python -m pip install "ansible < 2.10"
-      - name: Run ansible-doc-test
-        run: |
-          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
-
-  check_docs_2_11:
-    name: Check Ansible Documentation with ansible-core 2.11.
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.x'
-      - name: Install Ansible 2.11
-        run: |
-          python -m pip install "ansible-core >=2.11,<2.12"
-      - name: Run ansible-doc-test
-        run: |
-          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
-
-  check_docs_2_12:
+  check_docs_oldest_supported:
     name: Check Ansible Documentation with ansible-core 2.12.
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
         with:
           python-version: '3.x'
       - name: Install Ansible 2.12
@@ -47,15 +19,50 @@ jobs:
           python -m pip install "ansible-core >=2.12,<2.13"
       - name: Run ansible-doc-test
         run: |
-          python -m pip install "ansible-core >=2.12,<2.13"
           ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
 
-  check_docs_latest:
+  check_docs_previous:
+    name: Check Ansible Documentation with ansible-core 2.13.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
+        with:
+          python-version: '3.x'
+      - name: Install Ansible 2.13
+        run: |
+          python -m pip install "ansible-core >=2.13,<2.14"
+      - name: Run ansible-doc-test
+        run: |
+          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
+
+  check_docs_current:
+    name: Check Ansible Documentation with ansible-core 2.14.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
+        with:
+          python-version: '3.x'
+      - name: Install Ansible 2.14
+        run: |
+          python -m pip install "ansible-core >=2.14,<2.15"
+      - name: Run ansible-doc-test
+        run: |
+          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
+
+  check_docs_ansible_latest:
     name: Check Ansible Documentation with latest Ansible version.
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
         with:
           python-version: '3.x'
       - name: Install Ansible-latest

.github/workflows/lint.yml

@@ -8,36 +8,40 @@ jobs:
     name: Verify ansible-lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
         with:
           python-version: "3.x"
       - name: Run ansible-lint
         run: |
-          pip install ansible-core==2.11.6 ansible-lint
-          find playbooks roles tests -name '*.yml' ! -name "env_*" ! -name "tasks_*" -exec ansible-lint --force-color {} \+
-        env:
-          ANSIBLE_MODULE_UTILS: plugins/module_utils
-          ANSIBLE_LIBRARY: plugins/modules
-          ANSIBLE_DOC_FRAGMENT_PLUGINS: plugins/doc_fragments
+          pip install "ansible-core >=2.14,<2.15" ansible-lint
+          utils/build-galaxy-release.sh -ki
+          cd .galaxy-build
+          ansible-lint
 
   yamllint:
     name: Verify yamllint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
         with:
           python-version: "3.x"
       - name: Run yaml-lint
-        uses: ibiqlik/action-yamllint@v1
+        uses: ibiqlik/action-yamllint@v3.1.1
 
   pydocstyle:
     name: Verify pydocstyle
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
         with:
           python-version: "3.x"
       - name: Run pydocstyle
@@ -49,32 +53,38 @@ jobs:
     name: Verify flake8
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
         with:
           python-version: "3.x"
       - name: Run flake8
         run: |
-            pip install flake8
+            pip install flake8 flake8-bugbear
             flake8
 
   pylint:
     name: Verify pylint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v4.3.0
         with:
           python-version: "3.x"
       - name: Run pylint
         run: |
-            pip install pylint==2.12.2
+            pip install pylint==2.14.4 wrapt==1.14.0
             pylint plugins roles --disable=import-error
 
   shellcheck:
     name: Shellcheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
       - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@1.1.0
+        uses: ludeeus/action-shellcheck@master

.github/workflows/readme.yml

@@ -8,7 +8,9 @@ jobs:
     name: Verify readme
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3.1.0
+        with:
+          fetch-depth: 0
       - name: Run readme test
         run: |
           error=0

.gitignore

@@ -1,5 +1,11 @@
 *.pyc
 *.retry
+*.swp
+
+# collection files
+freeipa-ansible_freeipa*.tar.gz
+redhat-rhel_idm*.tar.gz
+importer_result.json
 
 # ignore virtual environments
 /.tox/

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
 - repo: https://github.com/ansible/ansible-lint.git
-  rev: v5.3.2
+  rev: v6.6.1
   hooks:
   - id: ansible-lint
     always_run: false
@@ -11,20 +11,20 @@ repos:
     entry: |
         env ANSIBLE_LIBRARY=./plugins/modules ANSIBLE_MODULE_UTILS=./plugins/module_utils ANSIBLE_DOC_FRAGMENT_PLUGINS=./plugins/doc_fragments ansible-lint
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.26.1
+  rev: v1.28.0
   hooks:
   - id: yamllint
     files: \.(yaml|yml)$
-- repo: https://gitlab.com/pycqa/flake8
-  rev: 3.9.2
+- repo: https://github.com/pycqa/flake8
+  rev: 5.0.3
   hooks:
   - id: flake8
-- repo: https://gitlab.com/pycqa/pydocstyle
-  rev: 6.1.1
+- repo: https://github.com/pycqa/pydocstyle
+  rev: 6.0.0
   hooks:
   - id: pydocstyle
 - repo: https://github.com/pycqa/pylint
-  rev: v2.12.2
+  rev: v2.14.4
   hooks:
   - id: pylint
     args:

README-cert.md

@@ -0,0 +1,175 @@
+Cert module
+============
+
+Description
+-----------
+
+The cert module makes it possible to request, revoke and retrieve SSL certificates for hosts, services and users.
+
+Features
+--------
+
+* Certificate request
+* Certificate hold/release
+* Certificate revocation
+* Certificate retrieval
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipacert module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+* Some tool to generate a certificate signing request (CSR) might be needed, like `openssl`.
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to request a new certificate for a service:
+
+```yaml
+---
+- name: Certificate request
+  hosts: ipaserver
+
+  tasks:
+  - name: Request a certificate for a web server
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      state: requested
+      csr: |
+        -----BEGIN CERTIFICATE REQUEST-----
+        MIGYMEwCAQAwGTEXMBUGA1UEAwwOZnJlZWlwYSBydWxlcyEwKjAFBgMrZXADIQBs
+        HlqIr4b/XNK+K8QLJKIzfvuNK0buBhLz3LAzY7QDEqAAMAUGAytlcANBAF4oSCbA
+        5aIPukCidnZJdr491G4LBE+URecYXsPknwYb+V+ONnf5ycZHyaFv+jkUBFGFeDgU
+        SYaXm/gF8cDYjQI=
+        -----END CERTIFICATE REQUEST-----
+      principal: HTTP/www.example.com
+    register: cert
+```
+
+Example playbook to revoke an existing certificate:
+
+```yaml
+---
+- name: Revoke certificate
+  hosts: ipaserver
+
+  tasks:
+  - name Revoke a certificate
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      serial_number: 123456789
+      state: revoked
+```
+
+Example to hold a certificate (alias for revoking a certificate with reason `certificateHold (6)`):
+
+```yaml
+---
+- name: Hold a certificate
+  hosts: ipaserver
+
+  tasks:
+  - name: Hold certificate
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      serial_number: 0xAB1234
+      state: held
+```
+
+Example playbook to release hold of certificate (may be used with any revoked certificates, despite of the rovoke reason):
+
+```yaml
+---
+- name: Release hold
+  hosts: ipaserver
+
+  tasks:
+  - name: Take a revoked certificate off hold
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      serial_number: 0xAB1234
+      state: released
+```
+
+Example playbook to retrieve a certificate and save it to a file in the target node:
+
+```yaml
+---
+- name: Retriev certificate
+  hosts: ipaserver
+
+  tasks:
+  - name: Retrieve a certificate and save it to file 'cert.pem'
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      certificate_out: cert.pem
+      state: retrieved
+```
+
+
+ipacert
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
+`csr` | X509 certificate signing request, in PEM format. | yes, if `state: requested`
+`principal` | Host/service/user principal for the certificate. | yes, if `state: requested`
+`add` \| `add_principal` | Automatically add the principal if it doesn't exist (service principals only). (bool) | no
+`profile_id` \| `profile` | Certificate Profile to use | no
+`ca` | Name of the issuing certificate authority. | no
+`chain` | Include certificate chain in output. (bool) | no
+`serial_number` | Certificate serial number. (int) | yes, if `state` is `retrieved`, `held`, `released` or `revoked`.
+`revocation_reason` \| `reason` | Reason for revoking the certificate. Use one of the reason strings, or the corresponding value: "unspecified" (0), "keyCompromise" (1), "cACompromise" (2), "affiliationChanged" (3), "superseded" (4), "cessationOfOperation" (5), "certificateHold" (6), "removeFromCRL" (8), "privilegeWithdrawn" (9), "aACompromise" (10) | yes, if `state: revoked`
+`certificate_out` | Write certificate (chain if `chain` is set) to this file, on the target node. | no
+`state` | The state to ensure. It can be one of `requested`, `held`, `released`, `revoked`, or `retrieved`. `held` is the same as revoke with reason "certificateHold" (6). `released` is the same as `cert-revoke-hold` on IPA CLI, releasing the hold status of a certificate. | yes
+
+
+Return Values
+=============
+
+Values are returned only if `state` is `requested` or `retrieved` and if `certificate_out` is not defined.
+
+Variable | Description | Returned When
+-------- | ----------- | -------------
+`certificate` | Certificate fields and data. (dict) <br>Options: | if `state` is `requested` or `retrieved` and if `certificate_out` is not defined
+&nbsp; | `certificate` - Issued X509 certificate in PEM encoding. Will include certificate chain if `chain: true`. (list) | always 
+&nbsp; | `san_dnsname` - X509 Subject Alternative Name. | When DNSNames are present in the Subject Alternative Name extension of the issued certificate.
+&nbsp; | `issuer` - X509 distinguished name of issuer. | always
+&nbsp; | `subject` - X509 distinguished name of certificate subject. | always
+&nbsp; | `serial_number` - Serial number of the issued certificate. (int) | always
+&nbsp; | `revoked` - Revoked status of the certificate. (bool) | if certificate was revoked
+&nbsp; | `owner_user` - The username that owns the certificate. | if `state: retrieved` and certificate is owned by a user
+&nbsp; | `owner_host` - The host that owns the certificate. | if `state: retrieved` and certificate is owned by a host
+&nbsp; | `owner_service` - The service that owns the certificate. | if `state: retrieved` and certificate is owned by a service
+&nbsp; | `valid_not_before` - Time when issued certificate becomes valid, in GeneralizedTime format (YYYYMMDDHHMMSSZ) | always
+&nbsp; | `valid_not_after` - Time when issued certificate ceases to be valid, in GeneralizedTime format (YYYYMMDDHHMMSSZ) | always
+
+
+Authors
+=======
+
+Sam Morris
+Rafael Jeffman

README-config.md

@@ -65,6 +65,9 @@ Example playbook to read config options:
         maxusername: 64
 ```
 
+
+Example playbook to set global configuration options:
+
 ```yaml
 ---
 - name: Playbook to ensure some config options are set
@@ -79,6 +82,40 @@ Example playbook to read config options:
 ```
 
 
+Example playbook to enable SID and generate users and groups SIDs:
+
+```yaml
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        add_sids: yes
+```
+
+Example playbook to change IPA domain NetBIOS name:
+
+```yaml
+---
+- name: Playbook to change IPA domain netbios name
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Set IPA domain netbios name
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        netbios_name: IPADOM
+```
+
 Variables
 =========
 
@@ -111,6 +148,9 @@ Variable | Description | Required
 `user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
 `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
 `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
+`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and SID generation to be activated. | no
+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and SID generation to be activated. (bool) | no
 
 
 Return Values
@@ -140,6 +180,8 @@ Variable | Description | Returned When
   | `user_auth_type` |  
   | `domain_resolution_order` |  
   | `ca_renewal_master_server` |  
+  | `enable_sid` |  
+  | `netbios_name` |  
 
 All returned fields take the same form as their namesake input parameters
 

README-group.md

@@ -8,6 +8,9 @@ The group module allows to ensure presence and absence of groups and members of
 
 The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
 
+## Note
+Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
+
 
 Features
 --------
@@ -71,6 +74,62 @@ Example playbook to add groups:
       name: appops
 ```
 
+These three `ipagroup` module calls can be combined into one with the `groups` variable:
+
+```yaml
+---
+- name: Playbook to handle groups
+  hosts: ipaserver
+
+  tasks:
+  - name: Ensure groups ops, sysops and appops are present
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      groups:
+      - name: ops
+        gidnumber: 1234
+      - name: sysops
+        user:
+        - pinky
+      - name: appops
+```
+
+You can also alternatively use a json file containing the groups, here `groups_present.json`:
+
+```json
+{
+  "groups": [
+    {
+      "name": "group1",
+      "description": "description group1"
+    },
+    {
+      "name": "group2",
+      "description": "description group2"
+    }
+  ]
+}
+```
+
+And ensure the presence of the groups with this example playbook:
+
+```yaml
+---
+- name: Tests
+  hosts: ipaserver
+  gather_facts: false
+
+  tasks:
+  - name: Include groups_present.json
+    include_vars:
+      file: groups_present.json
+
+  - name: Groups present
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      groups: "{{ groups }}"
+```
+
 Example playbook to add users to a group:
 
 ```yaml
@@ -112,11 +171,11 @@ Example playbook to add group members to a group:
 Example playbook to add members from a trusted realm to an external group:
 
 ```yaml
---
+---
 - name: Playbook to handle groups.
   hosts: ipaserver
-  became: true
-
+  
+  tasks:
   - name: Create an external group and add members from a trust to it.
     ipagroup:
       ipaadmin_password: SomeADMINpassword
@@ -127,6 +186,24 @@ Example playbook to add members from a trusted realm to an external group:
       - WINIPA\\Developers
 ```
 
+Example playbook to add nonposix and external groups:
+
+```yaml
+---
+- name: Playbook to add nonposix and external groups
+  hosts: ipaserver
+
+  tasks:
+  - name: Add nonposix group sysops and external group appops
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      groups:
+      - name: sysops
+        nonposix: true
+      - name: appops
+        external: true
+```
+
 Example playbook to remove groups:
 
 ```yaml
@@ -136,13 +213,29 @@ Example playbook to remove groups:
   become: true
 
   tasks:
-  # Remove goups sysops, appops and ops
+  # Remove groups sysops, appops and ops
   - ipagroup:
       ipaadmin_password: SomeADMINpassword
       name: sysops,appops,ops
       state: absent
 ```
 
+Example playbook to ensure groups are absent:
+
+```yaml
+---
+- name: Playbook to handle groups
+  hosts: ipaserver
+
+  tasks:
+  - name: Ensure groups ops and sysops are absent
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      groups:
+      - name: ops
+      - name: sysops
+      state: absent
+```
 
 Variables
 =========
@@ -152,8 +245,10 @@ Variable | Description | Required
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
-`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to <br/>. (bool) | no
 `name` \| `cn` | The list of group name strings. | no
+`groups` | The list of group dicts. Each `groups` dict entry can contain group variables.<br>There is one required option in the `groups` dict:| no
+&nbsp; | `name` - The group name string of the entry. | yes
 `description` | The group description string. | no
 `gid` \| `gidnumber` | The GID integer. | no
 `posix` | Create a non-POSIX group or change a non-POSIX to a posix group. `nonposix`, `posix` and `external` are mutually exclusive. (bool) | no

README-host.md

@@ -372,8 +372,8 @@ There are only return values if one or more random passwords have been generated
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `host` | Host dict with random password. (dict) <br>Options: | If random is yes and host did not exist or update_password is yes
-&nbsp; | `randompassword` - The generated random password | If only one host is handled by the module
-&nbsp; | `name` - The host name of the host that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several hosts are handled by the module
+&nbsp; | `randompassword` - The generated random password | If only one host is handled by the module without using the `hosts` parameter.
+&nbsp; | `name` - The host name of the host that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several hosts are handled by the module with the `hosts` parameter.
 
 
 Authors

README-netgroup.md

@@ -0,0 +1,179 @@
+Netgroup module
+============
+
+Description
+-----------
+
+The netgroup module allows to ensure presence and absence of netgroups.
+
+Features
+--------
+
+* Netgroup management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipanetgroup module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure netgroup "my_netgroup1" is present:
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroup my_netgroup1 is present
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: my_netgroup1
+      description: My netgroup 1
+```
+
+
+Example playbook to make sure netgroup "my_netgroup1" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroup my_netgroup1 is absent
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: my_netgroup1
+      state: absent
+```
+
+
+Example playbook to make sure netgroup is present with user "user1"
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroup is present with user "user1"
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: TestNetgroup1
+      user: user1
+      action: member
+```
+
+
+Example playbook to make sure netgroup user, "user1", is absent
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroup user, "user1", is absent
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: TestNetgroup1
+      user: "user1"
+      action: member
+      state: absent
+```
+
+
+Example playbook to make sure netgroup is present with members
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroup members are present
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: TestNetgroup1
+      user: user1,user2
+      group: group1
+      host: host1
+      hostgroup: ipaservers
+      netgroup: admins
+      action: member
+```
+
+
+Example playbook to make sure 2 netgroups TestNetgroup1, admins are absent
+
+```yaml
+---
+- name: Playbook to manage IPA netgroup.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure netgroups are absent
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name:
+      - TestNetgroup1
+      - admins
+      state: absent
+```
+
+
+Variables
+---------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
+`name` \| `cn` | The list of netgroup name strings. | yes
+`description` | Netgroup description | no
+`nisdomain` | NIS domain name | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`user` | List of user name strings assigned to this netgroup. | no
+`group` | List of group name strings assigned to this netgroup. | no
+`host` | List of host name strings assigned to this netgroup. | no
+`hostgroup` | List of hostgroup name strings assigned to this netgroup. | no
+`netgroup` | List of netgroup name strings assigned to this netgroup. | no
+`action` | Work on group or member level. It can be on of `member` or `netgroup` and defaults to `netgroup`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Denis Karpelevich

README-pwpolicy.md

@@ -87,6 +87,36 @@ Example playbook to ensure maxlife is set to 49 in global policy:
       maxlife: 49
 ```
 
+Example playbook to ensure password grace period is set to 3 in global policy:
+
+```yaml
+---
+- name: Playbook to handle pwpolicies
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure maxlife is set to 49 in global policy
+  - ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      gracelimit: 3
+```
+
+Example playbook to ensure password grace period is set to unlimited in global policy:
+
+```yaml
+---
+- name: Playbook to handle pwpolicies
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure maxlife is set to 49 in global policy
+  - ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      gracelimit: -1
+```
+
 
 Variables
 =========
@@ -107,6 +137,11 @@ Variable | Description | Required
 `maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int) | no
 `failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int) | no
 `lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int) | no
+`maxrepeat` \| `ipapwdmaxrepeat` | Maximum number of same consecutive characters. Requires IPA 4.9+ (int) | no
+`maxsequence` \| `ipapwdmaxsequence` |  The maximum length of monotonic character sequences (abcd). Requires IPA 4.9+ (int) | no
+`dictcheck` \| `ipapwdictcheck` | Check if the password is a dictionary word. Requires IPA 4.9+ (int) | no
+`usercheck` \| `ipapwdusercheck` | Check if the password contains the username. Requires IPA 4.9+ (int) | no
+`gracelimit` \| `passwordgracelimit` |  Number of LDAP authentications allowed after expiration. Requires IPA 4.9.10 (int) | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 
 

README-sudorule.md

@@ -129,6 +129,7 @@ Variable | Description | Required
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this sudorule. | no
 `hostgroup` | List of host group name strings assigned to this sudorule. | no
+`hostmask` | List of host masks of allowed hosts | no
 `user` | List of user name strings assigned to this sudorule. | no
 `group` | List of user group name strings assigned to this sudorule. | no
 `allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no

README-user.md

@@ -381,8 +381,8 @@ Variable | Description | Required
 
 Variable | Description | Required
 -------- | ----------- | --------
-`first` \| `givenname` | The first name string. | no
-`last` \| `sn` | The last name string. | no
+`first` \| `givenname` | The first name string. Required if user does not exist. | no
+`last` \| `sn` | The last name string. Required if user does not exist. | no
 `fullname` \| `cn` | The full name string. | no
 `displayname` | The display name string. | no
 `homedir` | The home directory string. | no
@@ -393,8 +393,8 @@ Variable | Description | Required
 `passwordexpiration` \| `krbpasswordexpiration` | The kerberos password expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. Only usable with IPA versions 4.7 and up. | no
 `password` | The user password string. | no
 `random` | Generate a random user password | no
-`uid` \| `uidnumber` | The UID integer. | no
-`gid` \| `gidnumber` | The GID integer. | no
+`uid` \| `uidnumber` | User ID Number (system will assign one if not provided). | no
+`gid` \| `gidnumber` | Group ID Number. | no
 `city` | City | no
 `userstate` \| `st` | State/Province | no
 `postalcode` \| `zip` | Postalcode/ZIP | no
@@ -434,8 +434,8 @@ There are only return values if one or more random passwords have been generated
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `user` | User dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
-&nbsp; | `randompassword` - The generated random password | If only one user is handled by the module
-&nbsp; | `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several users are handled by the module
+&nbsp; | `randompassword` - The generated random password | If only one user is handled by the module without using the `users` parameter.
+&nbsp; | `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several users are handled by the module with the `users` parameter.
 
 
 Authors

README-vault.md

@@ -222,8 +222,8 @@ Variable | Description | Required
 `password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
 `new_password` | Vault new password. | no
 `new_password_file` | File containing Base64 encoded new Vault password. | no
-`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no
-`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
+`public_key ` \| `vault_public_key` \| `ipavaultpublickey` \| `new_public_key` | Base64 encoded vault public key. | no
+`public_key_file` \| `vault_public_key_file` \| `new_public_key_file` | Path to file with public key. | no
 `private_key `\| `vault_private_key` \| `ipavaultprivatekey` | Base64 encoded vault private key. Used only to retrieve data. | no
 `private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
 `salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no

README.md

@@ -17,6 +17,7 @@ Features
 * Modules for automount key management
 * Modules for automount location management
 * Modules for automount map management
+* Modules for certificate management
 * Modules for config management
 * Modules for delegation management
 * Modules for dns config management
@@ -31,6 +32,7 @@ Features
 * Modules for hostgroup management
 * Modules for idrange management
 * Modules for location management
+* Modules for netgroup management
 * Modules for permission management
 * Modules for privilege management
 * Modules for pwpolicy management
@@ -68,7 +70,6 @@ Requirements
 
 **Controller**
 * Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
-* /usr/bin/kinit is required on the controller if a one time password (OTP) is used
 
 **Node**
 * Supported FreeIPA version (see above)
@@ -288,7 +289,7 @@ ipaserver_domain=test.local
 ipaserver_realm=TEST.LOCAL
 ```
 
-For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server.
+For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the (first) server.
 
 To enable the generation of the one-time-password:
 ```yaml
@@ -436,6 +437,7 @@ Modules in plugin/modules
 * [ipaautomountkey](README-automountkey.md)
 * [ipaautomountlocation](README-automountlocation.md)
 * [ipaautomountmap](README-automountmap.md)
+* [ipacert](README-cert.md)
 * [ipaconfig](README-config.md)
 * [ipadelegation](README-delegation.md)
 * [ipadnsconfig](README-dnsconfig.md)
@@ -450,6 +452,7 @@ Modules in plugin/modules
 * [ipahostgroup](README-hostgroup.md)
 * [idrange](README-idrange.md)
 * [ipalocation](README-location.md)
+* [ipanetgroup](README-netgroup.md)
 * [ipapermission](README-permission.md)
 * [ipaprivilege](README-privilege.md)
 * [ipapwpolicy](README-pwpolicy.md)

galaxy.yml

@@ -13,8 +13,8 @@ homepage: "https://github.com/freeipa/ansible-freeipa"
 issues: "https://github.com/freeipa/ansible-freeipa/issues"
 
 readme: "README.md"
-license: "GPL-3.0-or-later"
-
+license:
+  - "GPL-3.0-or-later"
 tags:
   - "linux"
   - "system"

playbooks/automount/automount-map-absent.yml

@@ -4,7 +4,7 @@
   become: no
 
   tasks:
-  - name: ensure map TestMap is absent
+  - name: Ensure map TestMap is absent
     ipaautomountmap:
       ipaadmin_password: SomeADMINpassword
       name: TestMap

playbooks/automount/automount-map-present.yml

@@ -4,7 +4,7 @@
   become: no
 
   tasks:
-  - name: ensure map TestMap is present
+  - name: Ensure map TestMap is present
     ipaautomountmap:
       ipaadmin_password: SomeADMINpassword
       name: TestMap

playbooks/cert/cert-hold.yml

@@ -0,0 +1,14 @@
+- name: Certificate manage example
+  hosts: ipaserver
+  become: false
+  gather_facts: false
+  module_defaults:
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: client
+
+  tasks:
+  - name: Temporarily hold a certificate
+    ipacert:
+      serial_number: 12345
+      state: held

playbooks/cert/cert-release.yml

@@ -0,0 +1,15 @@
+---
+- name: Certificate manage example
+  hosts: ipaserver
+  become: false
+  gather_facts: false
+  module_defaults:
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: client
+
+  tasks:
+  - name: Release a certificate hold
+    ipacert:
+      serial_number: 12345
+      state: released

playbooks/cert/cert-request-host.yml

@@ -0,0 +1,26 @@
+---
+- name: Certificate manage example
+  hosts: ipaserver
+  become: false
+  gather_facts: false
+  module_defaults:
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: client
+
+  tasks:
+  - name: Request a certificate for a host
+    ipacert:
+      csr: |
+        -----BEGIN CERTIFICATE REQUEST-----
+        MIIBWjCBxAIBADAbMRkwFwYDVQQDDBBob3N0LmV4YW1wbGUuY29tMIGfMA0GCSqG
+        SIb3DQEBAQUAA4GNADCBiQKBgQCzR3Vd4Cwl0uVgwB3+wxz+4JldFk3x526bPeuK
+        g8EEc+rEHILzJWeXC8ywCYPOgK9n7hrdMfVQiIx3yHYrY+0IYuLehWow4o1iJEf5
+        urPNAP9K9C4Y7MMXzzoQmoWR3IFQQpOYwvWOtiZfvrhmtflnYEGLE2tgz53gOQHD
+        NnbCCwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEAgF+6YC39WhnvmFgNz7pjAh5E
+        2ea3CgG+zrzAyiSBGG6WpXEjqMRnAQxciQNGxQacxjwWrscZidZzqg8URJPugewq
+        tslYB1+RkZn+9UWtfnWvz89+xnOgco7JlytnbH10Nfxt5fXXx13rY0tl54jBtk2W
+        422eYZ12wb4gjNcQy3A=
+        -----END CERTIFICATE REQUEST-----
+      principal: host/host.example.com
+      state: requested

playbooks/cert/cert-request-service.yml

@@ -0,0 +1,23 @@
+---
+- name: Certificate manage example
+  hosts: ipaserver
+  become: false
+  gather_facts: false
+  module_defaults:
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: client
+
+  tasks:
+  - name: Request a certificate for a service
+    ipacert:
+      csr: |
+        -----BEGIN CERTIFICATE REQUEST-----
+        MIGYMEwCAQAwGTEXMBUGA1UEAwwOZnJlZWlwYSBydWxlcyEwKjAFBgMrZXADIQBs
+        HlqIr4b/XNK+K8QLJKIzfvuNK0buBhLz3LAzY7QDEqAAMAUGAytlcANBAF4oSCbA
+        5aIPukCidnZJdr491G4LBE+URecYXsPknwYb+V+ONnf5ycZHyaFv+jkUBFGFeDgU
+        SYaXm/gF8cDYjQI=
+        -----END CERTIFICATE REQUEST-----
+      principal: HTTP/www.example.com
+      add: true
+      state: requested

playbooks/cert/cert-request-user.yml

@@ -0,0 +1,27 @@
+---
+- name: Certificate manage example
+  hosts: ipaserver
+  become: false
+  gather_facts: false
+  module_defaults:
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: client
+
+  tasks:
+  - name: Request a certificate for a user with a specific profile
+    ipacert:
+      csr: |
+        -----BEGIN CERTIFICATE REQUEST-----
+        MIIBejCB5AIBADAQMQ4wDAYDVQQDDAVwaW5reTCBnzANBgkqhkiG9w0BAQEFAAOB
+        jQAwgYkCgYEA7uChccy1Is1FTM0SF23WPYW472E3ozeLh2kzhKR9Ni6FLmeEGgu7
+        /hicR1VwvXHYkNwI1tpW9LqxRVvgr6vheqHySljrBcoRfshfYvKejp03l2327Bfq
+        BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
+        MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
+        hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
+        AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
+        5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
+        -----END CERTIFICATE REQUEST-----
+      principal: pinky
+      profile: IECUserRoles
+      state: requested

playbooks/cert/cert-retrieve.yml

@@ -0,0 +1,16 @@
+---
+- name: Certificate manage example
+  hosts: ipaserver
+  become: false
+  gather_facts: false
+  module_defaults:
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: client
+
+  tasks:
+  - name: Retrieve a certificate
+    ipacert:
+      serial_number: 12345
+      state: retrieved
+    register: cert_retrieved

playbooks/cert/cert-revoke.yml

@@ -0,0 +1,18 @@
+---
+- name: Certificate manage example
+  hosts: ipaserver
+  become: false
+  gather_facts: false
+  module_defaults:
+    ipacert:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: client
+
+  tasks:
+  - name: Permanently revoke a certificate issued by a lightweight sub-CA
+    ipacert:
+      serial_number: 12345
+      ca: vpn-ca
+      # reason: keyCompromise (1)
+      reason: 1
+      state: revoked

playbooks/config/change-ipa-domain-netbios-name.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook to change IPA domain netbios name
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Set IPA domain netbios name
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        netbios_name: IPADOM

playbooks/config/generate-users-groups-sids.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        add_sids: yes

playbooks/config/retrieve-config.yml

@@ -1,5 +1,5 @@
 ---
-- name: Playbook to handle global DNS configuration
+- name: Playbook to handle global IPA configuration
   hosts: ipaserver
   become: no
   gather_facts: no
@@ -11,5 +11,5 @@
     register: serverconfig
 
   - name: Display current configuration.
-    debug:
+    ansible.builtin.debug:
       msg: "{{ serverconfig }}"

playbooks/config/set-ca-renewal-master-server.yml

@@ -1,11 +1,11 @@
 ---
-- name: Playbook to handle global DNS configuration
+- name: Playbook to handle global IPA configuration
   hosts: ipaserver
   become: no
   gather_facts: no
 
   tasks:
-  - name: set ca_renewal_master_server
+  - name: Set ca_renewal_master_server
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
       ca_renewal_master_server: carenewal.example.com

playbooks/dnszone/dnszone-all-params.yml

@@ -1,5 +1,5 @@
 ---
-- name: dnszone present
+- name: All dnszone parameters
   hosts: ipaserver
   become: true
 

playbooks/dnszone/dnszone-present.yml

@@ -1,5 +1,5 @@
 ---
-- name: dnszone present
+- name: Dnszone present
   hosts: ipaserver
   become: true
 

playbooks/dnszone/dnszone-reverse-from-ip.yml

@@ -11,5 +11,5 @@
     register: result
 
   - name: Zone name inferred from `name_from_ip`
-    debug:
+    ansible.builtin.debug:
       msg: "Zone created: {{ result.dnszone.name }}"

playbooks/group/add-groups.yml

@@ -0,0 +1,32 @@
+---
+- name: Playbook to handle multiple groups
+  hosts: ipaserver
+
+  tasks:
+  - name: Create multiple groups ops, sysops
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      groups:
+      - name: ops
+        gidnumber: 1234
+      - name: sysops
+
+  - name: Add user and group members to groups sysops and appops
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      groups:
+      - name: sysops
+        user:
+          - user1
+      - name: appops
+        group:
+          - group2
+
+  - name: Create multiple non-POSIX and external groups
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      groups:
+      - name: nongroup
+        nonposix: true
+      - name: extgroup
+        external: true

playbooks/host/ensure_host_with_randompassword.yml

@@ -14,5 +14,5 @@
     register: ipahost
 
   - name: Print generated random password
-    debug:
+    ansible.builtin.debug:
       var: ipahost.host.randompassword

playbooks/host/host-present-with-randompassword.yml

@@ -13,5 +13,5 @@
     register: ipahost
 
   - name: Print generated random password
-    debug:
+    ansible.builtin.debug:
       var: ipahost.host.randompassword

playbooks/host/hosts-present-with-randompasswords.yml

@@ -17,9 +17,9 @@
     register: ipahost
 
   - name: Print generated random password for host01.example.com
-    debug:
+    ansible.builtin.debug:
       var: ipahost.host["host01.example.com"].randompassword
 
   - name: Print generated random password for host02.example.com
-    debug:
+    ansible.builtin.debug:
       var: ipahost.host["host02.example.com"].randompassword

playbooks/netgroup/netgroup-absent.yml

@@ -0,0 +1,12 @@
+---
+- name: Netgroup absent example
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure netgroup my_netgroup1 is absent
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: my_netgroup1
+      state: absent

playbooks/netgroup/netgroup-member-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Netgroup absent example
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure netgroup user, "user1", is absent
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: TestNetgroup1
+      user: "user1"
+      action: member
+      state: absent

playbooks/netgroup/netgroup-member-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Netgroup member present example
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure netgroup is present with user "user1"
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: TestNetgroup1
+      user: user1
+      action: member

playbooks/netgroup/netgroup-present.yml

@@ -0,0 +1,12 @@
+---
+- name: Netgroup present example
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure netgroup my_netgroup1 is present
+    ipanetgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: my_netgroup1
+      description: My netgroup 1

playbooks/pwpolicy/pwpolicy_grace_limit.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage password policy
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Set password policy grace limit.
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      gracelimit: 3

playbooks/pwpolicy/pwpolicy_password_check.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage password policy
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Set password checking parameters.
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      maxrepeat: 2
+      maxsequence: 3
+      dictcheck: yes
+      usercheck: yes

playbooks/sudorule/ensure-sudorule-hostmask-member-is-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage sudorule
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure hostmask network is absent in sudorule
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      hostmask: 192.168.122.37/24
+      action: member
+      state: absent

playbooks/sudorule/ensure-sudorule-hostmask-member-is-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage sudorule
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Ensure hostmask network is present in sudorule
+    ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      hostmask: 192.168.122.37/24
+      action: member

playbooks/trust/add-trust.yml

@@ -4,7 +4,7 @@
   become: true
 
   tasks:
-    - name: ensure the trust is present
+    - name: Ensure the trust is present
       ipatrust:
         ipaadmin_password: SomeADMINpassword
         realm: windows.local

playbooks/trust/del-trust.yml

@@ -4,7 +4,7 @@
   become: true
 
   tasks:
-    - name: ensure the trust is absent
+    - name: Ensure the trust is absent
       ipatrust:
         ipaadmin_password: SomeADMINpassword
         realm: windows.local

playbooks/user/ensure_user_with_randompassword.yml

@@ -15,5 +15,5 @@
     register: ipauser
 
   - name: Print generated random password
-    debug:
+    ansible.builtin.debug:
       var: ipauser.user.randompassword

playbooks/user/ensure_users_with_randompasswords.yml

@@ -20,9 +20,9 @@
     register: ipauser
 
   - name: Print generated random password for user1
-    debug:
+    ansible.builtin.debug:
       var: ipauser.user.user1.randompassword
 
   - name: Print generated random password for user2
-    debug:
+    ansible.builtin.debug:
       var: ipauser.user.user2.randompassword

playbooks/vault/retrive-data-asymmetric-vault.yml

@@ -15,5 +15,5 @@
       register: result
       no_log: true
     - name: Display retrieved data.
-      debug:
+      ansible.builtin.debug:
         msg: "Data: {{ result.vault.data }}"

playbooks/vault/retrive-data-symmetric-vault.yml

@@ -15,5 +15,5 @@
       register: result
       no_log: true
     - name: Display retrieved data.
-      debug:
+      ansible.builtin.debug:
         msg: "Data: {{ result.vault.data }}"

playbooks/vault/vault-is-present-with-password-file.yml

@@ -6,7 +6,7 @@
 
   tasks:
   - name: Copy file containing password to server.
-    copy:
+    ansible.builtin.copy:
       src: "{{ playbook_dir }}/password.txt"
       dest: "{{ ansible_facts['env'].HOME }}/password.txt"
       owner: "{{ ansible_user }}"
@@ -20,6 +20,6 @@
       vault_type: symmetric
       vault_password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
   - name: Remove file containing password from server.
-    file:
+    ansible.builtin.file:
       path: "{{ ansible_facts['env'].HOME }}/password.txt"
       state: absent

playbooks/vault/vault-is-present-with-public-key-file.yml

@@ -11,7 +11,7 @@
 
   tasks:
   - name: Copy public key file to server.
-    copy:
+    ansible.builtin.copy:
       src: "{{ playbook_dir }}/public.pem"
       dest: "{{ ansible_facts['env'].HOME }}/public.pem"
       owner: "{{ ansible_user }}"
@@ -25,6 +25,6 @@
       vault_type: asymmetric
       vault_public_key_file: "{{ ansible_facts['env'].HOME }}/public.pem"
   - name: Remove public key file from server.
-    file:
+    ansible.builtin.file:
       path: "{{ ansible_facts['env'].HOME }}/public.pem"
       state: absent

plugins/doc_fragments/ipamodule_base_docs.py

@@ -30,15 +30,18 @@ options:
   ipaadmin_principal:
     description: The admin principal.
     default: admin
+    type: str
   ipaadmin_password:
     description: The admin password.
     required: false
+    type: str
   ipaapi_context:
     description: |
       The context in which the module will execute. Executing in a
       server context is preferred. If not provided context will be
       determined by the execution environment.
     choices: ["server", "client"]
+    type: str
     required: false
   ipaapi_ldap_cache:
     description: Use LDAP cache for IPA connection.

plugins/modules/ipaautomember.py

@@ -3,8 +3,9 @@
 # Authors:
 #   Mark Hahl <mhahl@redhat.com>
 #   Jake Reynolds <jakealexis@gmail.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021 Red Hat
+# Copyright (C) 2021-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -34,21 +35,24 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaautomember
-short description: Add and delete FreeIPA Auto Membership Rules.
+short_description: Add and delete FreeIPA Auto Membership Rules.
 description: Add, modify and delete an IPA Auto Membership Rules.
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The automember rule
-    required: true
+    required: false
+    type: list
+    elements: str
     aliases: ["cn"]
   description:
     description: A description of this auto member rule
     required: false
+    type: str
   automember_type:
     description: Grouping to which the rule applies
-    required: true
+    required: false
     type: str
     choices: ["group", "hostgroup"]
   exclusive:
@@ -56,7 +60,7 @@ options:
     type: list
     elements: dict
     aliases: ["automemberexclusiveregex"]
-    options:
+    suboptions:
       key:
         description: The attribute of the regex
         type: str
@@ -70,7 +74,7 @@ options:
     type: list
     elements: dict
     aliases: ["automemberinclusiveregex"]
-    options:
+    suboptions:
       key:
         description: The attribute of the regex
         type: str
@@ -82,10 +86,12 @@ options:
   users:
     description: Users to rebuild membership for.
     type: list
+    elements: str
     required: false
   hosts:
     description: Hosts to rebuild membership for.
     type: list
+    elements: str
     required: false
   no_wait:
     description: Don't wait for rebuilding membership.
@@ -95,16 +101,18 @@ options:
     type: str
   action:
     description: Work on automember or member level
+    type: str
     default: automember
     choices: ["member", "automember"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent", "rebuilt", "orphans_removed"]
 author:
-    - Mark Hahl
-    - Jake Reynolds
-    - Thomas Woerner
+  - Mark Hahl (@mhahl)
+  - Jake Reynolds (@jake2184)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -208,7 +216,6 @@ EXAMPLES = """
 RETURN = """
 """
 
-
 from ansible.module_utils.ansible_freeipa_module import (
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, ipalib_errors, DN
 )
@@ -315,7 +322,8 @@ def main():
                            aliases=["automemberinclusiveregex"],
                            default=None,
                            options=dict(
-                               key=dict(type="str", required=True),
+                               key=dict(type="str", required=True,
+                                        no_log=False),
                                expression=dict(type="str", required=True)
                            ),
                            elements="dict",
@@ -324,12 +332,13 @@ def main():
                            aliases=["automemberexclusiveregex"],
                            default=None,
                            options=dict(
-                               key=dict(type="str", required=True),
+                               key=dict(type="str", required=True,
+                                        no_log=False),
                                expression=dict(type="str", required=True)
                            ),
                            elements="dict",
                            required=False),
-            name=dict(type="list", aliases=["cn"],
+            name=dict(type="list", elements="str", aliases=["cn"],
                       default=None, required=False),
             description=dict(type="str", default=None),
             automember_type=dict(type='str', required=False,
@@ -341,8 +350,8 @@ def main():
             state=dict(type="str", default="present",
                        choices=["present", "absent", "rebuilt",
                                 "orphans_removed"]),
-            users=dict(type="list", default=None),
-            hosts=dict(type="list", default=None),
+            users=dict(type="list", elements="str", default=None),
+            hosts=dict(type="list", elements="str", default=None),
         ),
         supports_check_mode=True,
     )

plugins/modules/ipaautomountkey.py

@@ -3,8 +3,9 @@
 
 # Authors:
 #   Chris Procter <cprocter@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021 Red Hat
+# Copyright (C) 2021-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -34,39 +35,43 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = '''
 ---
 module: ipaautomountkey
-author: chris procter
+author:
+  - Chris Procter (@chr15p))
+  - Thomas Woerner (@t-woerner)
 short_description: Manage FreeIPA autommount map
 description:
 - Add, delete, and modify an IPA automount map
+extends_documentation_fragment:
+  - ipamodule_base_docs
 options:
-  ipaadmin_principal:
-    description: The admin principal
-    default: admin
-  ipaadmin_password:
-    description: The admin password
-    required: False
   location:
     description: automount location map is in
+    type: str
     required: True
-    choices: ["automountlocationcn", "automountlocation"]
+    aliases: ["automountlocationcn", "automountlocation"]
   mapname:
     description: automount map to be managed
-    choices: ["map", "automountmapname", "automountmap"]
+    type: str
+    aliases: ["map", "automountmapname", "automountmap"]
     required: True
   key:
     description: automount key to be managed
+    type: str
     required: True
-    choices: ["name", "automountkey"]
-  newkey:
+    aliases: ["name", "automountkey"]
+  rename:
     description: key to change to if state is 'renamed'
-    required: True
-    choices: ["newname", "newautomountkey"]
+    type: str
+    required: False
+    aliases: ["new_name", "newautomountkey"]
   info:
     description: Mount information for the key
-    required: True
-    choices: ["information", "automountinformation"]
+    type: str
+    required: False
+    aliases: ["information", "automountinformation"]
   state:
     description: State to ensure
+    type: str
     required: False
     default: present
     choices: ["present", "absent", "renamed"]
@@ -193,7 +198,7 @@ def main():
             state=dict(
                 type='str',
                 choices=['present', 'absent', 'renamed'],
-                required=None,
+                required=False,
                 default='present',
             ),
             location=dict(
@@ -215,6 +220,7 @@ def main():
                 type="str",
                 aliases=["name", "automountkey"],
                 required=True,
+                no_log=False,
             ),
             info=dict(
                 type="str",

plugins/modules/ipaautomountlocation.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 # Authors:
 #   Chris Procter <cprocter@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021 Red Hat
+# Copyright (C) 2021-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,7 +33,9 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = '''
 ---
 module: ipaautomountlocation
-author: chris procter
+author:
+  - Chris Procter (@chr15p)
+  - Thomas Woerner (@t-woerner)
 short_description: Manage FreeIPA autommount locations
 description:
 - Add and delete an IPA automount location
@@ -42,10 +45,13 @@ options:
   name:
     description: The automount location to be managed
     required: true
+    type: list
+    elements: str
     aliases: ["cn","location"]
   state:
     description: State to ensure
     required: false
+    type: str
     default: present
     choices: ["present", "absent"]
 '''
@@ -116,9 +122,8 @@ def main():
                        default='present',
                        choices=['present', 'absent']
                        ),
-            name=dict(type="list",
+            name=dict(type="list", elements="str",
                       aliases=["cn", "location"],
-                      default=None,
                       required=True
                       ),
         ),

plugins/modules/ipaautomountmap.py

@@ -2,8 +2,9 @@
 # -*- coding: utf-8 -*-
 # Authors:
 #   Chris Procter <cprocter@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021 Red Hat
+# Copyright (C) 2021-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,31 +34,34 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = '''
 ---
 module: ipaautomountmap
-author: Chris Procter
+author:
+  - Chris Procter (@chr15p)
+  - Thomas Woerner (@t-woerner)
 short_description: Manage FreeIPA autommount map
 description:
 - Add, delete, and modify an IPA automount map
+extends_documentation_fragment:
+  - ipamodule_base_docs
 options:
-  ipaadmin_principal:
-    description: The admin principal.
-    default: admin
-  ipaadmin_password:
-    description: The admin password.
-    required: false
   automountlocation:
     description: automount location map is anchored to
-    choices: ["location", "automountlocationcn"]
+    type: str
+    aliases: ["location", "automountlocationcn"]
     required: True
   name:
     description: automount map to be managed.
-    choices: ["mapname", "map", "automountmapname"]
+    type: list
+    elements: str
+    aliases: ["mapname", "map", "automountmapname"]
     required: True
   desc:
     description: description of automount map.
-    choices: ["description"]
+    type: str
+    aliases: ["description"]
     required: false
   state:
     description: State to ensure
+    type: str
     required: false
     default: present
     choices: ["present", "absent"]
@@ -122,7 +126,7 @@ class AutomountMap(IPAAnsibleModule):
 
         self.params_fail_used_invalid(invalid, state)
 
-    def get_args(self, mapname, desc):  # pylint: disable=no-self-use
+    def get_args(self, mapname, desc):
         # automountmapname is required for all automountmap operations.
         if not mapname:
             self.fail_json(msg="automountmapname cannot be None or empty.")
@@ -169,12 +173,10 @@ def main():
                        ),
             location=dict(type="str",
                           aliases=["automountlocation", "automountlocationcn"],
-                          default=None,
                           required=True
                           ),
-            name=dict(type="list",
+            name=dict(type="list", elements="str",
                       aliases=["mapname", "map", "automountmapname"],
-                      default=None,
                       required=True
                       ),
             desc=dict(type="str",

plugins/modules/ipacert.py

@@ -0,0 +1,571 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Sam Morris <sam@robots.org.uk>
+#   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#
+# Copyright (C) 2021 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    "metadata_version": "1.0",
+    "supported_by": "community",
+    "status": ["preview"],
+}
+
+DOCUMENTATION = """
+---
+module: ipacert
+short description: Manage FreeIPA certificates
+description: Manage FreeIPA certificates
+extends_documentation_fragment:
+  - ipamodule_base_docs
+options:
+  csr:
+    description: |
+      X509 certificate signing request, in RFC 7468 PEM encoding.
+      Only available if `state: requested`, required if `csr_file` is not
+      provided.
+    type: str
+  csr_file:
+    description: |
+      Path to file with X509 certificate signing request, in RFC 7468 PEM
+      encoding. Only available if `state: requested`, required if `csr_file`
+      is not provided.
+    type: str
+  principal:
+    description: |
+      Host/service/user principal for the certificate.
+      Required if `state: requested`. Only available if `state: requested`.
+    type: str
+  add:
+    description: |
+      Automatically add the principal if it doesn't exist (service
+      principals only). Only available if `state: requested`.
+    type: bool
+    aliases: ["add_principal"]
+    required: false
+  ca:
+    description: Name of the issuing certificate authority.
+    type: str
+    required: false
+  serial_number:
+    description: |
+      Certificate serial number. Cannot be used with `state: requested`.
+      Required for all states, except `requested`.
+    type: int
+  profile:
+    description: Certificate Profile to use.
+    type: str
+    aliases: ["profile_id"]
+    required: false
+  revocation_reason:
+    description: |
+      Reason for revoking the certificate. Use one of the reason strings,
+      or the corresponding value: "unspecified" (0), "keyCompromise" (1),
+      "cACompromise" (2), "affiliationChanged" (3), "superseded" (4),
+      "cessationOfOperation" (5), "certificateHold" (6), "removeFromCRL" (8),
+      "privilegeWithdrawn" (9), "aACompromise" (10).
+      Use only if `state: revoked`. Required if `state: revoked`.
+    type: raw
+    aliases: ['reason']
+  certificate_out:
+    description: |
+      Write certificate (chain if `chain` is set) to this file, on the target
+      node.. Use only when `state` is `requested` or `retrieved`.
+    type: str
+    required: false
+  state:
+    description: |
+      The state to ensure. `held` is the same as revoke with reason
+      "certificateHold" (6). `released` is the same as `cert-revoke-hold`
+      on IPA CLI, releasing the hold status of a certificate.
+    choices: ["requested", "held", "released", "revoked", "retrieved"]
+    required: true
+    type: str
+author:
+authors:
+  - Sam Morris (@yrro)
+  - Rafael Guterres Jeffman (@rjeffman)
+"""
+
+EXAMPLES = """
+- name: Request a certificate for a web server
+  ipacert:
+    ipaadmin_password: SomeADMINpassword
+    state: requested
+    csr: |
+      -----BEGIN CERTIFICATE REQUEST-----
+      MIGYMEwCAQAwGTEXMBUGA1UEAwwOZnJlZWlwYSBydWxlcyEwKjAFBgMrZXADIQBs
+      HlqIr4b/XNK+K8QLJKIzfvuNK0buBhLz3LAzY7QDEqAAMAUGAytlcANBAF4oSCbA
+      5aIPukCidnZJdr491G4LBE+URecYXsPknwYb+V+ONnf5ycZHyaFv+jkUBFGFeDgU
+      SYaXm/gF8cDYjQI=
+      -----END CERTIFICATE REQUEST-----
+    principal: HTTP/www.example.com
+  register: cert
+
+- name: Request certificate for a user, with an appropriate profile.
+  ipacert:
+    ipaadmin_password: SomeADMINpassword
+    csr: |
+      -----BEGIN CERTIFICATE REQUEST-----
+      MIIBejCB5AIBADAQMQ4wDAYDVQQDDAVwaW5reTCBnzANBgkqhkiG9w0BAQEFAAOB
+      jQAwgYkCgYEA7uChccy1Is1FTM0SF23WPYW472E3ozeLh2kzhKR9Ni6FLmeEGgu7
+      /hicR1VwvXHYkNwI1tpW9LqxRVvgr6vheqHySljrBcoRfshfYvKejp03l2327Bfq
+      BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
+      MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
+      hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
+      AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
+      5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
+      -----END CERTIFICATE REQUEST-----
+    principal: pinky
+    profile_id: IECUserRoles
+    state: requested
+
+- name: Temporarily hold a certificate
+  ipacert:
+    ipaadmin_password: SomeADMINpassword
+    serial_number: 12345
+    state: held
+
+- name: Remove a certificate hold
+  ipacert:
+    ipaadmin_password: SomeADMINpassword
+    state: released
+    serial_number: 12345
+
+- name: Permanently revoke a certificate issued by a lightweight sub-CA
+  ipacert:
+    ipaadmin_password: SomeADMINpassword
+    state: revoked
+    ca: vpn-ca
+    serial_number: 0x98765
+    reason: keyCompromise
+
+- name: Retrieve a certificate
+  ipacert:
+    ipaadmin_password: SomeADMINpassword
+    serial_number: 12345
+    state: retrieved
+  register: cert_retrieved
+"""
+
+RETURN = """
+certificate:
+  description: Certificate fields and data.
+  returned: |
+    if `state` is `requested` or `retrived` and `certificate_out`
+    is not defined.
+  type: dict
+  contains:
+    certificate:
+      description: |
+        Issued X509 certificate in PEM encoding. Will include certificate
+        chain if `chain: true` is used.
+      type: list
+      elements: str
+      returned: always
+    issuer:
+      description: X509 distinguished name of issuer.
+      type: str
+      sample: CN=Certificate Authority,O=EXAMPLE.COM
+      returned: always
+    serial_number:
+      description: Serial number of the issued certificate.
+      type: int
+      sample: 902156300
+      returned: always
+    valid_not_after:
+      description: |
+        Time when issued certificate ceases to be valid,
+        in GeneralizedTime format (YYYYMMDDHHMMSSZ).
+      type: str
+      returned: always
+    valid_not_before:
+      description: |
+        Time when issued certificate becomes valid, in
+        GeneralizedTime format (YYYYMMDDHHMMSSZ).
+      type: str
+      returned: always
+    subject:
+      description: X509 distinguished name of certificate subject.
+      type: str
+      sample: CN=www.example.com,O=EXAMPLE.COM
+      returned: always
+    san_dnsname:
+      description: X509 Subject Alternative Name.
+      type: list
+      elements: str
+      sample: ['www.example.com', 'other.example.com']
+      returned: |
+        when DNSNames are present in the Subject Alternative Name
+        extension of the issued certificate.
+    revoked:
+      description: Revoked status of the certificate.
+      type: bool
+      returned: always
+    owner_user:
+      description: The username that owns the certificate.
+      type: str
+      returned: when `state` is `retrieved`
+    owner_host:
+      description: The host that owns the certificate.
+      type: str
+      returned: when `state` is `retrieved`
+    owner_service:
+      description: The service that owns the certificate.
+      type: str
+      returned: when `state` is `retrieved`
+"""
+
+import base64
+import time
+import ssl
+
+from ansible.module_utils import six
+from ansible.module_utils._text import to_text
+from ansible.module_utils.ansible_freeipa_module import (
+    IPAAnsibleModule, certificate_loader, write_certificate_list,
+)
+
+if six.PY3:
+    unicode = str
+
+# Reasons are defined in RFC 5280 sec. 5.3.1; removeFromCRL is not present in
+# this list; run the module with state=released instead.
+REVOCATION_REASONS = {
+    'unspecified': 0,
+    'keyCompromise': 1,
+    'cACompromise': 2,
+    'affiliationChanged': 3,
+    'superseded': 4,
+    'cessationOfOperation': 5,
+    'certificateHold': 6,
+    'removeFromCRL': 8,
+    'privilegeWithdrawn': 9,
+    'aACompromise': 10,
+}
+
+
+def gen_args(
+    module, principal=None, add_principal=None, ca=None, chain=None,
+    profile=None, certificate_out=None, reason=None
+):
+    args = {}
+    if principal is not None:
+        args['principal'] = principal
+    if add_principal is not None:
+        args['add'] = add_principal
+    if ca is not None:
+        args['cacn'] = ca
+    if profile is not None:
+        args['profile_id'] = profile
+    if certificate_out is not None:
+        args['out'] = certificate_out
+    if chain:
+        args['chain'] = True
+    if ca:
+        args['cacn'] = ca
+    if reason is not None:
+        args['revocation_reason'] = get_revocation_reason(module, reason)
+    return args
+
+
+def get_revocation_reason(module, reason):
+    """Ensure revocation reasion is a valid integer code."""
+    reason_int = -1
+
+    try:
+        reason_int = int(reason)
+    except ValueError:
+        reason_int = REVOCATION_REASONS.get(reason, -1)
+
+    if reason_int not in REVOCATION_REASONS.values():
+        module.fail_json(msg="Invalid revocation reason: %s" % reason)
+
+    return reason_int
+
+
+def parse_cert_timestamp(dt):
+    """Ensure time is in GeneralizedTime format (YYYYMMDDHHMMSSZ)."""
+    return time.strftime(
+        "%Y%m%d%H%M%SZ",
+        time.strptime(dt, "%a %b %d %H:%M:%S %Y UTC")
+    )
+
+
+def result_handler(_module, result, _command, _name, _args, exit_args, chain):
+    """Split certificate into fields."""
+    if chain:
+        exit_args['certificate'] = [
+            ssl.DER_cert_to_PEM_cert(c)
+            for c in result['result'].get('certificate_chain', [])
+        ]
+    else:
+        exit_args['certificate'] = [
+            ssl.DER_cert_to_PEM_cert(
+                base64.b64decode(result['result']['certificate'])
+            )
+        ]
+
+    exit_args['san_dnsname'] = [
+        str(dnsname)
+        for dnsname in result['result'].get('san_dnsname', [])
+    ]
+
+    exit_args.update({
+        key: result['result'][key]
+        for key in [
+            'issuer', 'subject', 'serial_number',
+            'revoked', 'revocation_reason'
+        ]
+        if key in result['result']
+    })
+    exit_args.update({
+        key: result['result'][key][0]
+        for key in ['owner_user', 'owner_host', 'owner_service']
+        if key in result['result']
+    })
+
+    exit_args.update({
+        key: parse_cert_timestamp(result['result'][key])
+        for key in ['valid_not_after', 'valid_not_before']
+        if key in result['result']
+    })
+
+
+def do_cert_request(
+    module, csr, principal, add_principal=None, ca=None, profile=None,
+    chain=None, certificate_out=None
+):
+    """Request a certificate."""
+    args = gen_args(
+        module, principal=principal, ca=ca, chain=chain,
+        add_principal=add_principal, profile=profile,
+    )
+    exit_args = {}
+    commands = [[to_text(csr), "cert_request", args]]
+    changed = module.execute_ipa_commands(
+        commands,
+        result_handler=result_handler,
+        exit_args=exit_args,
+        chain=chain
+    )
+
+    if certificate_out is not None:
+        certs = (
+            certificate_loader(cert.encode("utf-8"))
+            for cert in exit_args['certificate']
+        )
+        write_certificate_list(certs, certificate_out)
+        exit_args = {}
+
+    return changed, exit_args
+
+
+def do_cert_revoke(ansible_module, serial_number, reason=None, ca=None):
+    """Revoke a certificate."""
+    _ign, cert = do_cert_retrieve(ansible_module, serial_number, ca)
+    if not cert or cert.get('revoked', False):
+        return False, cert
+
+    args = gen_args(ansible_module, ca=ca, reason=reason)
+
+    commands = [[serial_number, "cert_revoke", args]]
+    changed = ansible_module.execute_ipa_commands(commands)
+
+    return changed, cert
+
+
+def do_cert_release(ansible_module, serial_number, ca=None):
+    """Release hold on certificate."""
+    _ign, cert = do_cert_retrieve(ansible_module, serial_number, ca)
+    revoked = cert.get('revoked', True)
+    reason = cert.get('revocation_reason', -1)
+    if cert and not revoked:
+        return False, cert
+
+    if revoked and reason != 6:  # can only release held certificates
+        ansible_module.fail_json(
+            msg="Cannot release hold on certificate revoked with"
+                " reason: %d" % reason
+        )
+    args = gen_args(ansible_module, ca=ca)
+
+    commands = [[serial_number, "cert_remove_hold", args]]
+    changed = ansible_module.execute_ipa_commands(commands)
+
+    return changed, cert
+
+
+def do_cert_retrieve(
+    module, serial_number, ca=None, chain=None, outfile=None
+):
+    """Retrieve a certificate with 'cert-show'."""
+    args = gen_args(module, ca=ca, chain=chain, certificate_out=outfile)
+    exit_args = {}
+    commands = [[serial_number, "cert_show", args]]
+    module.execute_ipa_commands(
+        commands,
+        result_handler=result_handler,
+        exit_args=exit_args,
+        chain=chain,
+    )
+    if outfile is not None:
+        exit_args = {}
+
+    return False, exit_args
+
+
+def main():
+    ansible_module = IPAAnsibleModule(
+        argument_spec=dict(
+            # requested
+            csr=dict(type="str"),
+            csr_file=dict(type="str"),
+            principal=dict(type="str"),
+            add_principal=dict(type="bool", required=False, aliases=["add"]),
+            profile_id=dict(type="str", aliases=["profile"], required=False),
+            # revoked
+            revocation_reason=dict(type="raw", aliases=["reason"]),
+            # general
+            serial_number=dict(type="int"),
+            ca=dict(type="str"),
+            chain=dict(type="bool", required=False),
+            certificate_out=dict(type="str", required=False),
+            # state
+            state=dict(
+                type="str",
+                required=True,
+                choices=[
+                    "requested", "held", "released", "revoked", "retrieved"
+                ]
+            ),
+        ),
+        mutually_exclusive=[["csr", "csr_file"]],
+        required_if=[
+            ('state', 'requested', ['principal']),
+            ('state', 'retrieved', ['serial_number']),
+            ('state', 'held', ['serial_number']),
+            ('state', 'released', ['serial_number']),
+            ('state', 'revoked', ['serial_number', 'revocation_reason']),
+        ],
+        supports_check_mode=False,
+    )
+
+    ansible_module._ansible_debug = True
+
+    # Get parameters
+
+    # requested
+    csr = ansible_module.params_get("csr")
+    csr_file = ansible_module.params_get("csr_file")
+    principal = ansible_module.params_get("principal")
+    add_principal = ansible_module.params_get("add_principal")
+    profile = ansible_module.params_get("profile_id")
+
+    # revoked
+    reason = ansible_module.params_get("revocation_reason")
+
+    # general
+    serial_number = ansible_module.params.get("serial_number")
+    ca = ansible_module.params_get("ca")
+    chain = ansible_module.params_get("chain")
+    certificate_out = ansible_module.params_get("certificate_out")
+
+    # state
+    state = ansible_module.params_get("state")
+
+    # Check parameters
+
+    if ansible_module.params_get("ipaapi_context") == "server":
+        ansible_module.fail_json(
+            msg="Context 'server' for ipacert is not yet supported."
+        )
+
+    invalid = []
+    if state == "requested":
+        invalid = ["serial_number", "revocation_reason"]
+        if csr is None and csr_file is None:
+            ansible_module.fail_json(
+                msg="Required 'csr' or 'csr_file' with 'state: requested'.")
+    else:
+        invalid = [
+            "csr", "principal", "add_principal", "profile"
+            "certificate_out"
+        ]
+        if state in ["released", "held"]:
+            invalid.extend(["revocation_reason", "certificate_out", "chain"])
+        if state == "retrieved":
+            invalid.append("revocation_reason")
+        if state == "revoked":
+            invalid.extend(["certificate_out", "chain"])
+        elif state == "held":
+            reason = 6  # certificateHold
+
+    ansible_module.params_fail_used_invalid(invalid, state)
+
+    # Init
+
+    changed = False
+    exit_args = {}
+
+    # Connect to IPA API
+    # If executed on 'server' contexot, cert plugin uses the IPA RA agent
+    # TLS client certificate/key, which users are not able to access,
+    # resulting in a 'permission denied' exception when attempting to connect
+    # the CA service. Therefore 'client' context in forced for this module.
+    with ansible_module.ipa_connect(context="client"):
+
+        if state == "requested":
+            if csr_file is not None:
+                with open(csr_file, "rt") as csr_in:
+                    csr = "".join(csr_in.readlines())
+            changed, exit_args = do_cert_request(
+                ansible_module,
+                csr,
+                principal,
+                add_principal,
+                ca,
+                profile,
+                chain,
+                certificate_out
+            )
+
+        elif state in ("held", "revoked"):
+            changed, exit_args = do_cert_revoke(
+                ansible_module, serial_number, reason, ca)
+
+        elif state == "released":
+            changed, exit_args = do_cert_release(
+                ansible_module, serial_number, ca)
+
+        elif state == "retrieved":
+            changed, exit_args = do_cert_retrieve(
+                ansible_module, serial_number, ca, chain, certificate_out)
+
+    # Done
+
+    ansible_module.exit_json(changed=changed, certificate=exit_args)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/ipaconfig.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Chris Procter <cprocter@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,8 +33,10 @@ ANSIBLE_METADATA = {
 
 DOCUMENTATION = '''
 ---
-module: ipa_config
-author: chris procter
+module: ipaconfig
+author:
+  - Chris Procter (@chr15p)
+  - Thomas Woerner (@t-woerner)
 short_description: Modify IPA global config options
 description:
 - Modify IPA global config options
@@ -43,48 +46,60 @@ options:
     maxusername:
         description: Set the maximum username length between 1-255
         required: false
+        type: int
         aliases: ['ipamaxusernamelength']
     maxhostname:
         description: Set the maximum hostname length between 64-255
         required: false
+        type: int
         aliases: ['ipamaxhostnamelength']
     homedirectory:
         description: Set the default location of home directories
         required: false
+        type: str
         aliases: ['ipahomesrootdir']
     defaultshell:
         description: Set the default shell for new users
         required: false
+        type: str
         aliases: ['ipadefaultloginshell', 'loginshell']
     defaultgroup:
         description: Set the default group for new users
         required: false
+        type: str
         aliases: ['ipadefaultprimarygroup']
     emaildomain:
         description: Set the default e-mail domain
         required: false
+        type: str
         aliases: ['ipadefaultemaildomain']
     searchtimelimit:
         description:
         - Set maximum amount of time (seconds) for a search
         - values -1 to 2147483647 (-1 or 0 is unlimited)
         required: false
+        type: int
         aliases: ['ipasearchtimelimit']
     searchrecordslimit:
         description:
         - Set maximum number of records to search
         - values -1 to 2147483647 (-1 or 0 is unlimited)
         required: false
+        type: int
         aliases: ['ipasearchrecordslimit']
     usersearch:
         description:
         - Set comma-separated list of fields to search for user search
         required: false
+        type: list
+        elements: str
         aliases: ['ipausersearchfields']
     groupsearch:
         description:
         - Set comma-separated list of fields to search for group search
         required: false
+        type: list
+        elements: str
         aliases: ['ipagroupsearchfields']
     enable_migration:
         description: Enable migration mode
@@ -95,22 +110,26 @@ options:
         description: Set default group objectclasses (comma-separated list)
         required: false
         type: list
+        elements: str
         aliases: ['ipagroupobjectclasses']
     userobjectclasses:
         description: Set default user objectclasses (comma-separated list)
         required: false
         type: list
+        elements: str
         aliases: ['ipauserobjectclasses']
     pwdexpnotify:
         description:
         - Set number of days's notice of impending password expiration
         - values 0 to 2147483647
         required: false
+        type: int
         aliases: ['ipapwdexpadvnotify']
     configstring:
         description: Set extra hashes to generate in password plug-in
         required: false
         type: list
+        elements: str
         choices:
         - "AllowNThash"
         - "KDC:Disable Last Success"
@@ -122,32 +141,55 @@ options:
         description: Set order in increasing priority of SELinux users
         required: false
         type: list
+        elements: str
         aliases: ['ipaselinuxusermaporder']
     selinuxusermapdefault:
         description: Set default SELinux user when no match found in map rule
         required: false
+        type: str
         aliases: ['ipaselinuxusermapdefault']
     pac_type:
         description: set default types of PAC supported for services
         required: false
         type: list
+        elements: str
         choices: ["MS-PAC", "PAD", "nfs:NONE", ""]
         aliases: ["ipakrbauthzdata"]
     user_auth_type:
         description: set default types of supported user authentication
         required: false
         type: list
+        elements: str
         choices: ["password", "radius", "otp", "disabled", ""]
         aliases: ["ipauserauthtype"]
     ca_renewal_master_server:
         description: Renewal master for IPA certificate authority.
         required: false
-        type: string
+        type: str
     domain_resolution_order:
         description: set list of domains used for short name qualification
         required: false
         type: list
+        elements: str
         aliases: ["ipadomainresolutionorder"]
+    enable_sid:
+        description: >
+          New users and groups automatically get a SID assigned.
+          Cannot be deactivated once activated. Requires IPA 4.9.8+.
+        required: false
+        type: bool
+    netbios_name:
+        description: >
+          NetBIOS name of the IPA domain. Requires IPA 4.9.8+
+          and SID generation to be activated.
+        required: false
+        type: str
+    add_sids:
+        description: >
+          Add SIDs for existing users and groups. Requires IPA 4.9.8+
+          and SID generation to be activated.
+        required: false
+        type: bool
 '''
 
 EXAMPLES = '''
@@ -169,6 +211,24 @@ EXAMPLES = '''
         ipaadmin_password: SomeADMINpassword
         defaultshell: /bin/bash
         maxusername: 64
+
+- name: Playbook to enable SID and generate users and groups SIDs
+  hosts: ipaserver
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        add_sids: yes
+
+- name: Playbook to change IPA domain netbios name
+  hosts: ipaserver
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        netbios_name: IPADOM
 '''
 
 RETURN = '''
@@ -176,38 +236,48 @@ config:
   description: Dict of all global config options
   returned: When no options are set
   type: dict
-  options:
+  contains:
     maxusername:
         description: maximum username length
+        type: int
         returned: always
     maxhostname:
         description: maximum hostname length
+        type: int
         returned: always
     homedirectory:
         description: default location of home directories
+        type: str
         returned: always
     defaultshell:
         description: default shell for new users
+        type: str
         returned: always
     defaultgroup:
         description: default group for new users
+        type: str
         returned: always
     emaildomain:
         description: default e-mail domain
+        type: str
         returned: always
     searchtimelimit:
         description: maximum amount of time (seconds) for a search
+        type: int
         returned: always
     searchrecordslimit:
         description: maximum number of records to search
+        type: int
         returned: always
     usersearch:
-        description: comma-separated list of fields to search in user search
+        description: list of fields to search in user search
         type: list
+        elements: str
         returned: always
     groupsearch:
-        description: comma-separated list of fields to search in group search
+        description: list of fields to search in group search
         type: list
+        elements: str
         returned: always
     enable_migration:
         description: Enable migration mode
@@ -216,37 +286,59 @@ config:
     groupobjectclasses:
         description: default group objectclasses (comma-separated list)
         type: list
+        elements: str
         returned: always
     userobjectclasses:
         description: default user objectclasses (comma-separated list)
         type: list
+        elements: str
         returned: always
     pwdexpnotify:
         description: number of days's notice of impending password expiration
+        type: str
         returned: always
     configstring:
         description: extra hashes to generate in password plug-in
         type: list
+        elements: str
         returned: always
     selinuxusermaporder:
         description: order in increasing priority of SELinux users
+        type: list
+        elements: str
         returned: always
     selinuxusermapdefault:
         description: default SELinux user when no match is found in map rule
+        type: str
         returned: always
     pac_type:
         description: default types of PAC supported for services
         type: list
+        elements: str
         returned: always
     user_auth_type:
         description: default types of supported user authentication
+        type: str
         returned: always
     ca_renewal_master_server:
         description: master for IPA certificate authority.
+        type: str
         returned: always
     domain_resolution_order:
         description: list of domains used for short name qualification
+        type: list
+        elements: str
         returned: always
+    enable_sid:
+        description: >
+          new users and groups automatically get a SID assigned.
+          Requires IPA 4.9.8+.
+        type: str
+        returned: always
+    netbios_name:
+        description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
+        type: str
+        returned: if enable_sid is True
 '''
 
 
@@ -260,6 +352,28 @@ def config_show(module):
     return _result["result"]
 
 
+def get_netbios_name(module):
+    try:
+        _result = module.ipa_command_no_name("trustconfig_show", {"all": True})
+    except Exception:  # pylint: disable=broad-except
+        return None
+    else:
+        return _result["result"]["ipantflatname"][0]
+
+
+def is_enable_sid(module):
+    """When 'enable_sid' is true admin user and admins group have SID set."""
+    _result = module.ipa_command("user_show", "admin", {"all": True})
+    sid = _result["result"].get("ipantsecurityidentifier", [""])
+    if not sid[0].endswith("-500"):
+        return False
+    _result = module.ipa_command("group_show", "admins", {"all": True})
+    sid = _result["result"].get("ipantsecurityidentifier", [""])
+    if not sid[0].endswith("-512"):
+        return False
+    return True
+
+
 def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
@@ -281,39 +395,45 @@ def main():
                                  aliases=['ipasearchtimelimit']),
             searchrecordslimit=dict(type="int", required=False,
                                     aliases=['ipasearchrecordslimit']),
-            usersearch=dict(type="list", required=False,
+            usersearch=dict(type="list", elements="str", required=False,
                             aliases=['ipausersearchfields']),
-            groupsearch=dict(type="list", required=False,
+            groupsearch=dict(type="list", elements="str", required=False,
                              aliases=['ipagroupsearchfields']),
             enable_migration=dict(type="bool", required=False,
                                   aliases=['ipamigrationenabled']),
-            groupobjectclasses=dict(type="list", required=False,
+            groupobjectclasses=dict(type="list", elements="str",
+                                    required=False,
                                     aliases=['ipagroupobjectclasses']),
-            userobjectclasses=dict(type="list", required=False,
+            userobjectclasses=dict(type="list", elements="str", required=False,
                                    aliases=['ipauserobjectclasses']),
             pwdexpnotify=dict(type="int", required=False,
                               aliases=['ipapwdexpadvnotify']),
-            configstring=dict(type="list", required=False,
+            configstring=dict(type="list", elements="str", required=False,
                               aliases=['ipaconfigstring'],
                               choices=["AllowNThash",
                                        "KDC:Disable Last Success",
                                        "KDC:Disable Lockout",
                                        "KDC:Disable Default Preauth for SPNs",
                                        ""]),  # noqa E128
-            selinuxusermaporder=dict(type="list", required=False,
+            selinuxusermaporder=dict(type="list", elements="str",
+                                     required=False,
                                      aliases=['ipaselinuxusermaporder']),
             selinuxusermapdefault=dict(type="str", required=False,
                                        aliases=['ipaselinuxusermapdefault']),
-            pac_type=dict(type="list", required=False,
+            pac_type=dict(type="list", elements="str", required=False,
                           aliases=["ipakrbauthzdata"],
                           choices=["MS-PAC", "PAD", "nfs:NONE", ""]),
-            user_auth_type=dict(type="list", required=False,
+            user_auth_type=dict(type="list", elements="str", required=False,
                                 choices=["password", "radius", "otp",
                                          "disabled", ""],
                                 aliases=["ipauserauthtype"]),
             ca_renewal_master_server=dict(type="str", required=False),
-            domain_resolution_order=dict(type="list", required=False,
-                                         aliases=["ipadomainresolutionorder"])
+            domain_resolution_order=dict(type="list", elements="str",
+                                         required=False,
+                                         aliases=["ipadomainresolutionorder"]),
+            enable_sid=dict(type="bool", required=False),
+            add_sids=dict(type="bool", required=False),
+            netbios_name=dict(type="str", required=False),
         ),
         supports_check_mode=True,
     )
@@ -344,7 +464,10 @@ def main():
         "pac_type": "ipakrbauthzdata",
         "user_auth_type": "ipauserauthtype",
         "ca_renewal_master_server": "ca_renewal_master_server",
-        "domain_resolution_order": "ipadomainresolutionorder"
+        "domain_resolution_order": "ipadomainresolutionorder",
+        "enable_sid": "enable_sid",
+        "netbios_name": "netbios_name",
+        "add_sids": "add_sids",
     }
     allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
     reverse_field_map = {v: k for k, v in field_map.items()}
@@ -394,11 +517,52 @@ def main():
     changed = False
     exit_args = {}
 
-    # Connect to IPA API
-    with ansible_module.ipa_connect():
+    # Connect to IPA API (enable_sid requires context == 'client')
+    with ansible_module.ipa_connect(context="client"):
+        has_enable_sid = ansible_module.ipa_command_param_exists(
+            "config_mod", "enable_sid")
 
         result = config_show(ansible_module)
+
         if params:
+            enable_sid = params.get("enable_sid")
+            sid_is_enabled = has_enable_sid and is_enable_sid(ansible_module)
+
+            if sid_is_enabled and enable_sid is False:
+                ansible_module.fail_json(msg="SID cannot be disabled.")
+
+            netbios_name = params.get("netbios_name")
+            add_sids = params.get("add_sids")
+            if has_enable_sid:
+                if (
+                    netbios_name
+                    and netbios_name == get_netbios_name(ansible_module)
+                ):
+                    del params["netbios_name"]
+                    netbios_name = None
+                if not add_sids and "add_sids" in params:
+                    del params["add_sids"]
+                if any([netbios_name, add_sids]):
+                    if sid_is_enabled:
+                        params["enable_sid"] = True
+                    else:
+                        if not enable_sid:
+                            ansible_module.fail_json(
+                                msg="SID generation must be enabled for "
+                                    "'netbios_name' and 'add_sids'. Use "
+                                    "'enable_sid: yes'."
+                            )
+                else:
+                    if sid_is_enabled and "enable_sid" in params:
+                        del params["enable_sid"]
+
+            else:
+                if any([enable_sid, netbios_name, add_sids is not None]):
+                    ansible_module.fail_json(
+                        msg="This version of IPA does not support enable_sid, "
+                            "add_sids or netbios_name setting through the "
+                            "config module"
+                    )
             params = {
                 k: v for k, v in params.items()
                 if k not in result or result[k] != v
@@ -458,6 +622,10 @@ def main():
             # Add empty domain_resolution_order if it is not set
             if "domain_resolution_order" not in exit_args:
                 exit_args["domain_resolution_order"] = []
+            # Set enable_sid
+            if has_enable_sid:
+                exit_args["enable_sid"] = is_enable_sid(ansible_module)
+                exit_args["netbios_name"] = get_netbios_name(ansible_module)
 
     # Done
     ansible_module.exit_json(changed=changed, config=exit_args)

plugins/modules/ipadelegation.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,40 +32,52 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipadelegation
-short description: Manage FreeIPA delegations
+short_description: Manage FreeIPA delegations
 description: Manage FreeIPA delegations and delegation attributes
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The list of delegation name strings.
+    type: list
+    elements: str
     required: true
     aliases: ["aciname"]
   permission:
     description: Permissions to grant (read, write). Default is write.
+    type: list
+    elements: str
     required: false
     aliases: ["permissions"]
   attribute:
     description: Attribute list to which the delegation applies
+    type: list
+    elements: str
     required: false
     aliases: ["attrs"]
   membergroup:
     description: User group to apply delegation to
+    type: str
     required: false
     aliases: ["memberof"]
   group:
     description: User group ACI grants access to
+    type: str
     required: false
   action:
     description: Work on delegation or member level.
+    type: str
     choices: ["delegation", "member"]
     default: delegation
     required: false
   state:
     description: The state to ensure.
+    type: str
     choices: ["present", "absent"]
     default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -143,13 +155,13 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["aciname"], default=None,
+            name=dict(type="list", elements="str", aliases=["aciname"],
                       required=True),
             # present
-            permission=dict(required=False, type='list',
+            permission=dict(required=False, type='list', elements="str",
                             aliases=["permissions"], default=None),
-            attribute=dict(required=False, type='list', aliases=["attrs"],
-                           default=None),
+            attribute=dict(required=False, type='list', elements="str",
+                           aliases=["attrs"], default=None),
             membergroup=dict(type="str", aliases=["memberof"], default=None),
             group=dict(type="str", default=None),
             action=dict(type="str", default="delegation",

plugins/modules/ipadnsconfig.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,7 +34,7 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipadnsconfig
-short description: Manage FreeIPA dnsconfig
+short_description: Manage FreeIPA dnsconfig
 description: Manage FreeIPA dnsconfig
 extends_documentation_fragment:
   - ipamodule_base_docs
@@ -41,20 +42,25 @@ options:
   forwarders:
     description: The list of global DNS forwarders.
     required: false
-    options:
+    type: list
+    elements: dict
+    suboptions:
       ip_address:
         description: The forwarder nameserver IP address list (IPv4 and IPv6).
+        type: str
         required: true
       port:
         description: The port to forward requests to.
+        type: int
         required: false
   forward_policy:
     description:
       Global forwarding policy. Set to "none" to disable any configured
       global forwarders.
+    type: str
     required: false
     choices: ['only', 'first', 'none']
-    alias: ["forwardpolicy"]
+    aliases: ["forwardpolicy"]
   allow_sync_ptr:
     description:
       Allow synchronization of forward (A, AAAA) and reverse (PTR) records.
@@ -64,14 +70,19 @@ options:
     description: |
       Work on dnsconfig or member level. It can be one of `member` or
       `dnsconfig`. Only `forwarders` can be managed with `action: member`.
+    type: str
     default: "dnsconfig"
     choices: ["member", "dnsconfig"]
   state:
     description: |
       The state to ensure. It can be one of `present` or `absent`.
       `absent` can only be used with `action: member` and `forwarders`.
+    type: str
     default: present
     choices: ["present", "absent"]
+author:
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -183,14 +194,15 @@ def gen_args(module, state, action, dnsconfig, forwarders, forward_policy,
 
 def main():
     forwarder_spec = dict(
-        ip_address=dict(type=str, required=True),
-        port=dict(type=int, required=False, default=None)
+        ip_address=dict(type="str", required=True),
+        port=dict(type="int", required=False, default=None)
     )
 
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # dnsconfig
-            forwarders=dict(type='list', default=None, required=False,
+            forwarders=dict(type='list', elements="dict", default=None,
+                            required=False,
                             options=dict(**forwarder_spec)),
             forward_policy=dict(type='str', required=False, default=None,
                                 choices=['only', 'first', 'none'],

plugins/modules/ipadnsforwardzone.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Chris Procter <cprocter@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,53 +33,68 @@ ANSIBLE_METADATA = {
 
 DOCUMENTATION = '''
 ---
-module: ipa_dnsforwardzone
-author: chris procter
+module: ipadnsforwardzone
+author:
+  - Chris Procter (@chr15p)
+  - Thomas Woerner (@t-woerner)
 short_description: Manage FreeIPA DNS Forwarder Zones
 description:
-- Add and delete an IPA DNS Forwarder Zones using IPA API
+  - Add and delete an IPA DNS Forwarder Zones using IPA API
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description:
     - The DNS zone name which needs to be managed.
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
+  action:
+    description: |
+      Work on dnsforwardzone or member level. It can be one of `member` or
+      `dnsforwardzone`.
+    type: str
+    default: "dnsforwardzone"
+    choices: ["member", "dnsforwardzone"]
   state:
     description: State to ensure
+    type: str
     required: false
     default: present
     choices: ["present", "absent", "enabled", "disabled"]
   forwarders:
     description:
     - List of the DNS servers to forward to
+    type: list
+    elements: dict
     aliases: ["idnsforwarders"]
-    options:
+    suboptions:
       ip_address:
         description: Forwarder IP address (either IPv4 or IPv6).
-        required: false
-        type: string
+        required: true
+        type: str
       port:
         description: Forwarder port.
         required: false
         type: int
   forwardpolicy:
     description: Per-zone conditional forwarding policy
+    type: str
     required: false
-    default: only
     choices: ["only", "first", "none"]
-    aliases: ["idnsforwarders", "forward_policy"]
+    aliases: ["idnsforwardpolicy", "forward_policy"]
   skip_overlap_check:
     description:
     - Force DNS zone creation even if it will overlap with an existing zone.
+    type: bool
     required: false
-    default: false
   permission:
     description:
     - Allow DNS Forward Zone to be managed.
     required: false
     type: bool
+    aliases: ["managedby"]
 '''
 
 EXAMPLES = '''
@@ -180,7 +196,7 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                       required=True),
             forwarders=dict(type="list", default=None, required=False,
                             aliases=["idnsforwarders"], elements='dict',

plugins/modules/ipadnsrecord.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -34,7 +35,7 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipadnsrecord
-short description: Manage FreeIPA DNS records
+short_description: Manage FreeIPA DNS records
 description: Manage FreeIPA DNS records
 extends_documentation_fragment:
   - ipamodule_base_docs
@@ -42,19 +43,24 @@ options:
   records:
     description: The list of user dns records dicts
     required: false
-    options:
+    type: list
+    elements: dict
+    suboptions:
       name:
         description: The DNS record name to manage.
+        type: str
         aliases: ["record_name"]
         required: true
       zone_name:
         description: |
           The DNS zone name to which DNS record needs to be managed.
           Required if not provided globally.
+        type: str
         aliases: ["dnszone"]
         required: false
       record_type:
         description: The type of DNS record.
+        type: str
         choices: ["A", "AAAA", "A6", "AFSDB", "CERT", "CNAME", "DLV", "DNAME",
                   "DS", "KX", "LOC", "MX", "NAPTR", "NS", "PTR", "SRV",
                   "SSHFP", "TLSA", "TXT", "URI"]
@@ -63,6 +69,7 @@ options:
         description: Manage DNS record name with these values.
         required: false
         type: list
+        elements: str
       record_ttl:
         description: Set the TTL for the record.
         required: false
@@ -73,92 +80,132 @@ options:
         type: bool
       a_rec:
         description: Raw A record.
+        type: list
+        elements: str
         required: false
         aliases: ["a_record"]
       aaaa_rec:
         description: Raw AAAA record.
+        type: list
+        elements: str
         required: false
         aliases: ["aaaa_record"]
       a6_rec:
         description: Raw A6 record.
+        type: list
+        elements: str
         required: false
         aliases: ["a6_record"]
       afsdb_rec:
         description: Raw AFSDB record.
+        type: list
+        elements: str
         required: false
         aliases: ["afsdb_record"]
       cert_rec:
         description: Raw CERT record.
+        type: list
+        elements: str
         required: false
         aliases: ["cert_record"]
       cname_rec:
         description: Raw CNAME record.
+        type: list
+        elements: str
         required: false
         aliases: ["cname_record"]
       dlv_rec:
         description: Raw DLV record.
+        type: list
+        elements: str
         required: false
         aliases: ["dlv_record"]
       dname_rec:
         description: Raw DNAM record.
+        type: list
+        elements: str
         required: false
         aliases: ["dname_record"]
       ds_rec:
         description: Raw DS record.
+        type: list
+        elements: str
         required: false
         aliases: ["ds_record"]
       kx_rec:
         description: Raw KX record.
+        type: list
+        elements: str
         required: false
         aliases: ["kx_record"]
       loc_rec:
         description: Raw LOC record.
+        type: list
+        elements: str
         required: false
         aliases: ["loc_record"]
       mx_rec:
         description: Raw MX record.
+        type: list
+        elements: str
         required: false
         aliases: ["mx_record"]
       naptr_rec:
         description: Raw NAPTR record.
+        type: list
+        elements: str
         required: false
         aliases: ["naptr_record"]
       ns_rec:
         description: Raw NS record.
+        type: list
+        elements: str
         required: false
         aliases: ["ns_record"]
       ptr_rec:
         description: Raw PTR record.
+        type: list
+        elements: str
         required: false
         aliases: ["ptr_record"]
       srv_rec:
         description: Raw SRV record.
+        type: list
+        elements: str
         required: false
         aliases: ["srv_record"]
       sshfp_rec:
         description: Raw SSHFP record.
+        type: list
+        elements: str
         required: false
         aliases: ["sshfp_record"]
       tlsa_rec:
         description: Raw TLSA record.
+        type: list
+        elements: str
         required: false
         aliases: ["tlsa_record"]
       txt_rec:
         description: Raw TXT record.
+        type: list
+        elements: str
         required: false
         aliases: ["txt_record"]
       uri_rec:
         description: Raw URI record.
+        type: list
+        elements: str
         required: false
         aliases: ["uri_record"]
       ip_address:
         description: IP adresses for A or AAAA records.
         required: false
-        type: string
+        type: str
       a_ip_address:
         description: IP adresses for A records.
         required: false
-        type: string
+        type: str
       a_create_reverse:
         description: |
           Create reverse record for A records.
@@ -168,7 +215,7 @@ options:
       aaaa_ip_address:
         description: IP adresses for AAAA records.
         required: false
-        type: string
+        type: str
       aaaa_create_reverse:
         description: |
           Create reverse record for AAAA records.
@@ -185,6 +232,7 @@ options:
       a6_data:
         description: A6 record data.
         required: false
+        type: str
       afsdb_subtype:
         description: AFSDB Subtype
         required: false
@@ -192,7 +240,7 @@ options:
       afsdb_hostname:
         description: AFSDB Hostname
         required: false
-        type: string
+        type: str
       cert_type:
         description: CERT Certificate Type
         required: false
@@ -208,13 +256,13 @@ options:
       cert_certificate_or_crl:
         description: CERT Certificate or Certificate Revocation List (CRL).
         required: false
-        type: string
+        type: str
       cname_hostname:
         description: A hostname which this alias hostname points to.
         required: false
-        type: string
+        type: str
       dlv_key_tag:
-        description: DS Key Tag
+        description: DLV Key Tag
         required: false
         type: int
       dlv_algorithm:
@@ -228,11 +276,11 @@ options:
       dlv_digest:
         description: DLV Digest
         required: false
-        type: string
+        type: str
       dname_target:
         description: DNAME Target
         required: false
-        type: string
+        type: str
       ds_key_tag:
         description: DS Key Tag
         required: false
@@ -248,7 +296,7 @@ options:
       ds_digest:
         description: DS Digest
         required: false
-        type: string
+        type: str
       kx_preference:
         description: |
           Preference given to this exchanger. Lower values are more preferred.
@@ -257,7 +305,7 @@ options:
       kx_exchanger:
         description: A host willing to act as a key exchanger.
         required: false
-        type: string
+        type: str
       loc_lat_deg:
         description: LOC Degrees Latitude
         required: false
@@ -274,6 +322,7 @@ options:
         description: LOC Direction Latitude
         required: false
         choices: ["N", "S"]
+        type: str
       loc_lon_deg:
         description: LOC Degrees Longitude
         required: false
@@ -290,6 +339,7 @@ options:
         description: LOC Direction Longitude
         required: false
         choices: ["E", "W"]
+        type: str
       loc_altitude:
         description: LOC Altitude
         required: false
@@ -314,7 +364,7 @@ options:
       mx_exchanger:
         description: A host willing to act as a mail exchanger.
         required: false
-        type: string
+        type: str
       naptr_order:
         description: NAPTR Order
         required: false
@@ -326,27 +376,27 @@ options:
       naptr_flags:
         description: NAPTR Flags
         required: false
-        type: string
+        type: str
       naptr_service:
         description: NAPTR Service
         required: false
-        type: string
+        type: str
       naptr_regexp:
         description: NAPTR Regular Expression
         required: false
-        type: string
+        type: str
       naptr_replacement:
         description: NAPTR Replacement
         required: false
-        type: string
+        type: str
       ns_hostname:
         description: NS Hostname
         required: false
-        type: string
+        type: str
       ptr_hostname:
         description: The hostname this reverse record points to.
         required: false
-        type: string
+        type: str
       srv_priority:
         description: |
           Lower number means higher priority. Clients will attempt to contact
@@ -366,7 +416,7 @@ options:
           The domain name of the target host or '.' if the service is decidedly
           not available at this domain.
         required: false
-        type: string
+        type: str
       sshfp_algorithm:
         description: SSHFP Algorithm
         required: False
@@ -378,11 +428,11 @@ options:
       sshfp_fingerprint:
         description: SSHFP Fingerprint
         required: False
-        type: string
+        type: str
       txt_data:
         description: TXT Text Data
         required: false
-        type: string
+        type: str
       tlsa_cert_usage:
         description: TLSA Certificate Usage
         required: false
@@ -398,11 +448,11 @@ options:
       tlsa_cert_association_data:
         description: TLSA Certificate Association Data
         required: false
-        type: string
+        type: str
       uri_target:
         description: Target Uniform Resource Identifier according to RFC 3986.
         required: false
-        type: string
+        type: str
       uri_priority:
         description: |
           Lower number means higher priority. Clients will attempt to contact
@@ -413,27 +463,31 @@ options:
         description: Relative weight for entries with the same priority.
         required: false
         type: int
+  name:
+    description: The DNS record name to manage.
+    type: list
+    elements: str
+    aliases: ["record_name"]
+    required: false
   zone_name:
     description: |
       The DNS zone name to which DNS record needs to be managed.
       Required if not provided globally.
+    type: str
     aliases: ["dnszone"]
     required: false
-  name:
-    description: The DNS record name to manage.
-    aliases: ["record_name"]
-    required: true
   record_type:
     description: The type of DNS record.
-    required: false
+    type: str
     choices: ["A", "AAAA", "A6", "AFSDB", "CERT", "CNAME", "DLV", "DNAME",
-              "DS", "KX", "LOC", "MX", "NAPTR", "NS", "PTR", "SRV", "SSHFP",
-              "TLSA", "TXT", "URI"]
+              "DS", "KX", "LOC", "MX", "NAPTR", "NS", "PTR", "SRV",
+              "SSHFP", "TLSA", "TXT", "URI"]
     default: "A"
   record_value:
-    description: Manage DNS record name with this values.
+    description: Manage DNS record name with these values.
     required: false
     type: list
+    elements: str
   record_ttl:
     description: Set the TTL for the record.
     required: false
@@ -444,99 +498,132 @@ options:
     type: bool
   a_rec:
     description: Raw A record.
+    type: list
+    elements: str
     required: false
     aliases: ["a_record"]
   aaaa_rec:
     description: Raw AAAA record.
+    type: list
+    elements: str
     required: false
     aliases: ["aaaa_record"]
   a6_rec:
     description: Raw A6 record.
+    type: list
+    elements: str
     required: false
     aliases: ["a6_record"]
   afsdb_rec:
     description: Raw AFSDB record.
+    type: list
+    elements: str
     required: false
     aliases: ["afsdb_record"]
   cert_rec:
     description: Raw CERT record.
+    type: list
+    elements: str
     required: false
     aliases: ["cert_record"]
   cname_rec:
     description: Raw CNAME record.
+    type: list
+    elements: str
     required: false
     aliases: ["cname_record"]
   dlv_rec:
     description: Raw DLV record.
+    type: list
+    elements: str
     required: false
     aliases: ["dlv_record"]
   dname_rec:
     description: Raw DNAM record.
+    type: list
+    elements: str
     required: false
     aliases: ["dname_record"]
   ds_rec:
     description: Raw DS record.
+    type: list
+    elements: str
     required: false
     aliases: ["ds_record"]
   kx_rec:
     description: Raw KX record.
+    type: list
+    elements: str
     required: false
     aliases: ["kx_record"]
   loc_rec:
     description: Raw LOC record.
+    type: list
+    elements: str
     required: false
     aliases: ["loc_record"]
   mx_rec:
     description: Raw MX record.
+    type: list
+    elements: str
     required: false
     aliases: ["mx_record"]
   naptr_rec:
     description: Raw NAPTR record.
+    type: list
+    elements: str
     required: false
     aliases: ["naptr_record"]
   ns_rec:
     description: Raw NS record.
+    type: list
+    elements: str
     required: false
     aliases: ["ns_record"]
   ptr_rec:
     description: Raw PTR record.
+    type: list
+    elements: str
     required: false
     aliases: ["ptr_record"]
   srv_rec:
     description: Raw SRV record.
+    type: list
+    elements: str
     required: false
     aliases: ["srv_record"]
   sshfp_rec:
     description: Raw SSHFP record.
+    type: list
+    elements: str
     required: false
     aliases: ["sshfp_record"]
   tlsa_rec:
     description: Raw TLSA record.
+    type: list
+    elements: str
     required: false
     aliases: ["tlsa_record"]
   txt_rec:
     description: Raw TXT record.
+    type: list
+    elements: str
     required: false
     aliases: ["txt_record"]
   uri_rec:
     description: Raw URI record.
+    type: list
+    elements: str
     required: false
     aliases: ["uri_record"]
   ip_address:
-    description: IP adresses for A ar AAAA.
+    description: IP adresses for A or AAAA records.
     required: false
-    type: string
-  create_reverse:
-    description: |
-      Create reverse record for A or AAAA record types.
-      There is no equivalent to remove reverse records.
-    type: bool
-    required: false
-    aliases: ["reverse"]
+    type: str
   a_ip_address:
     description: IP adresses for A records.
     required: false
-    type: string
+    type: str
   a_create_reverse:
     description: |
       Create reverse record for A records.
@@ -546,13 +633,24 @@ options:
   aaaa_ip_address:
     description: IP adresses for AAAA records.
     required: false
-    type: string
+    type: str
   aaaa_create_reverse:
     description: |
       Create reverse record for AAAA records.
       There is no equivalent to remove reverse records.
     type: bool
     required: false
+  create_reverse:
+    description: |
+      Create reverse record for A or AAAA record types.
+      There is no equivalent to remove reverse records.
+    type: bool
+    required: false
+    aliases: ["reverse"]
+  a6_data:
+    description: A6 record data.
+    required: false
+    type: str
   afsdb_subtype:
     description: AFSDB Subtype
     required: false
@@ -560,7 +658,7 @@ options:
   afsdb_hostname:
     description: AFSDB Hostname
     required: false
-    type: string
+    type: str
   cert_type:
     description: CERT Certificate Type
     required: false
@@ -574,13 +672,13 @@ options:
     required: false
     type: int
   cert_certificate_or_crl:
-    description: CERT Certificate/CRL
+    description: CERT Certificate or Certificate Revocation List (CRL).
     required: false
-    type: string
+    type: str
   cname_hostname:
     description: A hostname which this alias hostname points to.
     required: false
-    type: string
+    type: str
   dlv_key_tag:
     description: DS Key Tag
     required: false
@@ -596,11 +694,11 @@ options:
   dlv_digest:
     description: DLV Digest
     required: false
-    type: string
+    type: str
   dname_target:
     description: DNAME Target
     required: false
-    type: string
+    type: str
   ds_key_tag:
     description: DS Key Tag
     required: false
@@ -616,7 +714,7 @@ options:
   ds_digest:
     description: DS Digest
     required: false
-    type: string
+    type: str
   kx_preference:
     description: |
       Preference given to this exchanger. Lower values are more preferred.
@@ -625,7 +723,7 @@ options:
   kx_exchanger:
     description: A host willing to act as a key exchanger.
     required: false
-    type: string
+    type: str
   loc_lat_deg:
     description: LOC Degrees Latitude
     required: false
@@ -642,6 +740,7 @@ options:
     description: LOC Direction Latitude
     required: false
     choices: ["N", "S"]
+    type: str
   loc_lon_deg:
     description: LOC Degrees Longitude
     required: false
@@ -658,6 +757,7 @@ options:
     description: LOC Direction Longitude
     required: false
     choices: ["E", "W"]
+    type: str
   loc_altitude:
     description: LOC Altitude
     required: false
@@ -682,7 +782,7 @@ options:
   mx_exchanger:
     description: A host willing to act as a mail exchanger.
     required: false
-    type: string
+    type: str
   naptr_order:
     description: NAPTR Order
     required: false
@@ -694,31 +794,31 @@ options:
   naptr_flags:
     description: NAPTR Flags
     required: false
-    type: string
+    type: str
   naptr_service:
     description: NAPTR Service
     required: false
-    type: string
+    type: str
   naptr_regexp:
     description: NAPTR Regular Expression
     required: false
-    type: string
+    type: str
   naptr_replacement:
     description: NAPTR Replacement
     required: false
-    type: string
+    type: str
   ns_hostname:
     description: NS Hostname
     required: false
-    type: string
+    type: str
   ptr_hostname:
     description: The hostname this reverse record points to.
     required: false
-    type: string
+    type: str
   srv_priority:
     description: |
-      Lower number means higher priority. Clients will attempt to contact the
-      server with the lowest-numbered priority they can reach.
+      Lower number means higher priority. Clients will attempt to contact
+      the server with the lowest-numbered priority they can reach.
     required: false
     type: int
   srv_weight:
@@ -731,26 +831,26 @@ options:
     type: int
   srv_target:
     description: |
-      The domain name of the target host or '.' if the service is decidedly not
-      available at this domain.
+      The domain name of the target host or '.' if the service is decidedly
+      not available at this domain.
     required: false
-    type: string
+    type: str
   sshfp_algorithm:
     description: SSHFP Algorithm
-    required: false
+    required: False
     type: int
   sshfp_fp_type:
     description: SSHFP Fingerprint Type
-    required: false
+    required: False
     type: int
   sshfp_fingerprint:
     description: SSHFP Fingerprint
-    required: false
-    type: string
+    required: False
+    type: str
   txt_data:
     description: TXT Text Data
     required: false
-    type: string
+    type: str
   tlsa_cert_usage:
     description: TLSA Certificate Usage
     required: false
@@ -766,15 +866,15 @@ options:
   tlsa_cert_association_data:
     description: TLSA Certificate Association Data
     required: false
-    type: string
+    type: str
   uri_target:
     description: Target Uniform Resource Identifier according to RFC 3986.
     required: false
-    type: string
+    type: str
   uri_priority:
     description: |
-      Lower number means higher priority. Clients will attempt to contact the
-      URI with the lowest-numbered priority they can reach.
+      Lower number means higher priority. Clients will attempt to contact
+      the URI with the lowest-numbered priority they can reach.
     required: false
     type: int
   uri_weight:
@@ -783,11 +883,12 @@ options:
     type: int
   state:
     description: State to ensure
+    type: str
     default: present
-    choices: ["present", "absent"]
-
+    choices: ["present", "absent", "disabled"]
 author:
-    - Rafael Guterres Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -866,8 +967,13 @@ RETURN = """
 from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, is_ipv4_addr, is_ipv6_addr, ipalib_errors
-import dns.reversename
-import dns.resolver
+try:
+    import dns.reversename
+    import dns.resolver
+except ImportError as _err:
+    MODULE_IMPORT_ERROR = str(_err)
+else:
+    MODULE_IMPORT_ERROR = None
 
 from ansible.module_utils import six
 
@@ -1015,29 +1121,49 @@ def configure_module():
                                   "DLV", "DNAME", "DS", "KX", "LOC", "MX",
                                   "NAPTR", "NS", "PTR", "SRV", "SSHFP", "TLSA",
                                   "TXT", "URI"]),
-        record_value=dict(type='list', required=False),
+        record_value=dict(type='list', elements='str', required=False),
         record_ttl=dict(type='int', required=False),
         del_all=dict(type='bool', required=False),
-        a_rec=dict(type='list', required=False, aliases=['a_record']),
-        aaaa_rec=dict(type='list', required=False, aliases=['aaaa_record']),
-        a6_rec=dict(type='list', required=False, aliases=['a6_record']),
-        afsdb_rec=dict(type='list', required=False, aliases=['afsdb_record']),
-        cert_rec=dict(type='list', required=False, aliases=['cert_record']),
-        cname_rec=dict(type='list', required=False, aliases=['cname_record']),
-        dlv_rec=dict(type='list', required=False, aliases=['dlv_record']),
-        dname_rec=dict(type='list', required=False, aliases=['dname_record']),
-        ds_rec=dict(type='list', required=False, aliases=['ds_record']),
-        kx_rec=dict(type='list', required=False, aliases=['kx_record']),
-        loc_rec=dict(type='list', required=False, aliases=['loc_record']),
-        mx_rec=dict(type='list', required=False, aliases=['mx_record']),
-        naptr_rec=dict(type='list', required=False, aliases=['naptr_record']),
-        ns_rec=dict(type='list', required=False, aliases=['ns_record']),
-        ptr_rec=dict(type='list', required=False, aliases=['ptr_record']),
-        srv_rec=dict(type='list', required=False, aliases=['srv_record']),
-        sshfp_rec=dict(type='list', required=False, aliases=['sshfp_record']),
-        tlsa_rec=dict(type='list', required=False, aliases=['tlsa_record']),
-        txt_rec=dict(type='list', required=False, aliases=['txt_record']),
-        uri_rec=dict(type='list', required=False, aliases=['uri_record']),
+        a_rec=dict(type='list', elements='str', required=False,
+                   aliases=['a_record']),
+        aaaa_rec=dict(type='list', elements='str', required=False,
+                      aliases=['aaaa_record']),
+        a6_rec=dict(type='list', elements='str', required=False,
+                    aliases=['a6_record']),
+        afsdb_rec=dict(type='list', elements='str', required=False,
+                       aliases=['afsdb_record']),
+        cert_rec=dict(type='list', elements='str', required=False,
+                      aliases=['cert_record']),
+        cname_rec=dict(type='list', elements='str', required=False,
+                       aliases=['cname_record']),
+        dlv_rec=dict(type='list', elements='str', required=False,
+                     aliases=['dlv_record']),
+        dname_rec=dict(type='list', elements='str', required=False,
+                       aliases=['dname_record']),
+        ds_rec=dict(type='list', elements='str', required=False,
+                    aliases=['ds_record']),
+        kx_rec=dict(type='list', elements='str', required=False,
+                    aliases=['kx_record']),
+        loc_rec=dict(type='list', elements='str', required=False,
+                     aliases=['loc_record']),
+        mx_rec=dict(type='list', elements='str', required=False,
+                    aliases=['mx_record']),
+        naptr_rec=dict(type='list', elements='str', required=False,
+                       aliases=['naptr_record']),
+        ns_rec=dict(type='list', elements='str', required=False,
+                    aliases=['ns_record']),
+        ptr_rec=dict(type='list', elements='str', required=False,
+                     aliases=['ptr_record']),
+        srv_rec=dict(type='list', elements='str', required=False,
+                     aliases=['srv_record']),
+        sshfp_rec=dict(type='list', elements='str', required=False,
+                       aliases=['sshfp_record']),
+        tlsa_rec=dict(type='list', elements='str', required=False,
+                      aliases=['tlsa_record']),
+        txt_rec=dict(type='list', elements='str', required=False,
+                     aliases=['txt_record']),
+        uri_rec=dict(type='list', elements='str', required=False,
+                     aliases=['uri_record']),
         ip_address=dict(type='str', required=False),
         create_reverse=dict(type='bool', required=False, aliases=['reverse']),
         a_ip_address=dict(type='str', required=False),
@@ -1048,16 +1174,16 @@ def configure_module():
         afsdb_subtype=dict(type='int', required=False),
         afsdb_hostname=dict(type='str', required=False),
         cert_type=dict(type='int', required=False),
-        cert_key_tag=dict(type='int', required=False),
+        cert_key_tag=dict(type='int', required=False, no_log=True),
         cert_algorithm=dict(type='int', required=False),
         cert_certificate_or_crl=dict(type='str', required=False),
         cname_hostname=dict(type='str', required=False),
-        dlv_key_tag=dict(type='int', required=False),
+        dlv_key_tag=dict(type='int', required=False, no_log=True),
         dlv_algorithm=dict(type='int', required=False),
         dlv_digest_type=dict(type='int', required=False),
         dlv_digest=dict(type='str', required=False),
         dname_target=dict(type='str', required=False),
-        ds_key_tag=dict(type='int', required=False),
+        ds_key_tag=dict(type='int', required=False, no_log=True),
         ds_algorithm=dict(type='int', required=False),
         ds_digest_type=dict(type='int', required=False),
         ds_digest=dict(type='str', required=False),
@@ -1066,11 +1192,11 @@ def configure_module():
         loc_lat_deg=dict(type='int', required=False),
         loc_lat_min=dict(type='int', required=False),
         loc_lat_sec=dict(type='float', required=False),
-        loc_lat_dir=dict(type='str', required=False),
+        loc_lat_dir=dict(type='str', required=False, choices=["N", "S"]),
         loc_lon_deg=dict(type='int', required=False),
         loc_lon_min=dict(type='int', required=False),
         loc_lon_sec=dict(type='float', required=False),
-        loc_lon_dir=dict(type='str', required=False),
+        loc_lon_dir=dict(type='str', required=False, choices=["E", "W"]),
         loc_altitude=dict(type='float', required=False),
         loc_size=dict(type='float', required=False),
         loc_h_precision=dict(type='float', required=False),
@@ -1105,10 +1231,14 @@ def configure_module():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["record_name"], default=None,
-                      required=False),
+            name=dict(type="list", elements="str", aliases=["record_name"],
+                      default=None, required=False),
 
+            # Use elements="str" and not elements="dict" for records:
+            # elements="dict" will create dicts with all unused parameters
+            # set to None. This breaks the module logic.
             records=dict(type="list",
+                         elements="dict",
                          default=None,
                          options=dict(
                              # Here name is a simple string
@@ -1131,6 +1261,9 @@ def configure_module():
 
     ansible_module._ansible_debug = True
 
+    if MODULE_IMPORT_ERROR is not None:
+        ansible_module.fail_json(msg=MODULE_IMPORT_ERROR)
+
     return ansible_module
 
 
@@ -1261,15 +1394,16 @@ def gen_args(entry):
 
     if record_value is not None:
         record_type = entry['record_type']
-        rec = "{}record".format(record_type.lower())
+        rec = "{0}record".format(record_type.lower())
         args[rec] = ensure_data_is_list(record_value)
 
     else:
         for field in _RECORD_FIELDS:
             record_value = entry.get(field) or entry.get("%sord" % field)
             if record_value is not None:
+                # pylint: disable=use-maxsplit-arg
                 record_type = field.split('_')[0]
-                rec = "{}record".format(record_type.lower())
+                rec = "{0}record".format(record_type.lower())
                 args[rec] = ensure_data_is_list(record_value)
 
         records = {
@@ -1436,6 +1570,14 @@ def main():
                 msg="Only one record can be added at a time.")
 
     if records is not None:
+        # Remove all keys that have a None value from the dicts in records
+        # list.
+        # This is needed after setting elements="dict" for records and makes
+        # it behave like before with elements=None.
+        for record in records:
+            for key in list(record):
+                if record[key] is None:
+                    del record[key]
         names = records
 
     # Init

plugins/modules/ipadnszone.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Sergio Oliveira Campos <seocam@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,16 +33,17 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipadnszone
-short description: Manage FreeIPA dnszone
+short_description: Manage FreeIPA dnszone
 description: Manage FreeIPA dnszone
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The zone name string.
-    required: true
+    required: false
     type: list
-    alises: ["zone_name"]
+    elements: str
+    aliases: ["zone_name"]
   name_from_ip:
     description: |
       Derive zone name from reverse of IP (PTR).
@@ -51,17 +53,22 @@ options:
   forwarders:
     description: The list of global DNS forwarders.
     required: false
-    options:
+    type: list
+    elements: dict
+    suboptions:
       ip_address:
         description: The forwarder nameserver IP address list (IPv4 and IPv6).
+        type: str
         required: true
       port:
         description: The port to forward requests to.
+        type: int
         required: false
   forward_policy:
     description:
       Global forwarding policy. Set to "none" to disable any configured
       global forwarders.
+    type: str
     required: false
     choices: ['only', 'first', 'none']
   allow_sync_ptr:
@@ -71,6 +78,7 @@ options:
     type: bool
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent", "enabled", "disabled"]
   name_server:
@@ -89,7 +97,7 @@ options:
     description: Allow dynamic updates
     required: false
     type: bool
-    alises: ["dynamicupdate"]
+    aliases: ["dynamicupdate"]
   dnssec:
     description: Allow inline DNSSEC signing of records in the zone
     required: false
@@ -97,11 +105,13 @@ options:
   allow_transfer:
     description: List of IP addresses or networks which are allowed to transfer the zone
     required: false
-    type: bool
+    type: list
+    elements: str
   allow_query:
     description: List of IP addresses or networks which are allowed to issue queries
     required: false
-    type: bool
+    type: list
+    elements: str
   refresh:
     description: SOA record refresh time
     required: false
@@ -141,6 +151,9 @@ options:
     description: Force DNS zone creation even if nameserver is not resolvable
     required: false
     type: bool
+author:
+  - Sergio Oliveira Campos (@seocam)
+  - Thomas Woerner (@t-woerner)
 """  # noqa: E501
 
 EXAMPLES = """
@@ -195,13 +208,14 @@ dnszone:
   description: DNS Zone dict with zone name infered from `name_from_ip`.
   returned:
     If `state` is `present`, `name_from_ip` is used, and a zone was created.
-  options:
+  type: dict
+  contains:
     name:
       description: The name of the zone created, inferred from `name_from_ip`.
+      type: str
       returned: always
 """
 
-from ipapython.dnsutil import DNSName  # noqa: E402
 from ansible.module_utils.ansible_freeipa_module import (
     IPAAnsibleModule,
     is_ip_address,
@@ -210,8 +224,9 @@ from ansible.module_utils.ansible_freeipa_module import (
     ipalib_errors,
     compare_args_ipa,
     IPAParamMapping,
+    DNSName,
+    netaddr
 )  # noqa: E402
-import netaddr
 from ansible.module_utils import six
 
 
@@ -265,7 +280,8 @@ class DNSZoneModule(IPAAnsibleModule):
         if any(invalid_ips):
             self.fail_json(msg=error_msg % invalid_ips)
 
-    def is_valid_nsec3param_rec(self, nsec3param_rec):  # pylint: disable=R0201
+    @staticmethod
+    def is_valid_nsec3param_rec(nsec3param_rec):
         try:
             part1, part2, part3, part4 = nsec3param_rec.split(" ")
         except ValueError:
@@ -487,8 +503,8 @@ class DNSZoneModule(IPAAnsibleModule):
 
 def get_argument_spec():
     forwarder_spec = dict(
-        ip_address=dict(type=str, required=True),
-        port=dict(type=int, required=False, default=None),
+        ip_address=dict(type="str", required=True),
+        port=dict(type="int", required=False, default=None),
     )
 
     return dict(
@@ -500,11 +516,13 @@ def get_argument_spec():
         ipaadmin_principal=dict(type="str", default="admin"),
         ipaadmin_password=dict(type="str", required=False, no_log=True),
         name=dict(
-            type="list", default=None, required=False, aliases=["zone_name"]
+            type="list", elements="str", default=None, required=False,
+            aliases=["zone_name"]
         ),
         name_from_ip=dict(type="str", default=None, required=False),
         forwarders=dict(
             type="list",
+            elements="dict",
             default=None,
             required=False,
             options=dict(**forwarder_spec),
@@ -526,8 +544,10 @@ def get_argument_spec():
             aliases=["dynamicupdate"],
         ),
         dnssec=dict(type="bool", required=False, default=None),
-        allow_transfer=dict(type="list", required=False, default=None),
-        allow_query=dict(type="list", required=False, default=None),
+        allow_transfer=dict(type="list", elements="str", required=False,
+                            default=None),
+        allow_query=dict(type="list", elements="str", required=False,
+                         default=None),
         refresh=dict(type="int", required=False, default=None),
         retry=dict(type="int", required=False, default=None),
         expire=dict(type="int", required=False, default=None),

plugins/modules/ipagroup.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,20 +32,104 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipagroup
-short description: Manage FreeIPA groups
+short_description: Manage FreeIPA groups
 description: Manage FreeIPA groups
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The group name
+    type: list
+    elements: str
     required: false
     aliases: ["cn"]
+  groups:
+    description: The list of group dicts (internally gid).
+    type: list
+    elements: dict
+    suboptions:
+      name:
+        description: The group (internally gid).
+        type: str
+        required: true
+        aliases: ["cn"]
+      description:
+        description: The group description
+        type: str
+        required: false
+      gid:
+        description: The GID
+        type: int
+        required: false
+        aliases: ["gidnumber"]
+      nonposix:
+        description: Create as a non-POSIX group
+        required: false
+        type: bool
+      external:
+        description: Allow adding external non-IPA members from trusted domains
+        required: false
+        type: bool
+      posix:
+        description:
+          Create a non-POSIX group or change a non-POSIX to a posix group.
+        required: false
+        type: bool
+      nomembers:
+        description: Suppress processing of membership attributes
+        required: false
+        type: bool
+      user:
+        description: List of user names assigned to this group.
+        required: false
+        type: list
+        elements: str
+      group:
+        description: List of group names assigned to this group.
+        required: false
+        type: list
+        elements: str
+      service:
+        description:
+        - List of service names assigned to this group.
+        - Only usable with IPA versions 4.7 and up.
+        required: false
+        type: list
+        elements: str
+      membermanager_user:
+        description:
+        - List of member manager users assigned to this group.
+        - Only usable with IPA versions 4.8.4 and up.
+        required: false
+        type: list
+        elements: str
+      membermanager_group:
+        description:
+        - List of member manager groups assigned to this group.
+        - Only usable with IPA versions 4.8.4 and up.
+        required: false
+        type: list
+        elements: str
+      externalmember:
+        description:
+        - List of members of a trusted domain in DOM\\name or name@domain form.
+        required: false
+        type: list
+        elements: str
+        aliases: ["ipaexternalmember", "external_member"]
+      idoverrideuser:
+        description:
+        - User ID overrides to add
+        required: false
+        type: list
+        elements: str
   description:
     description: The group description
+    type: str
     required: false
   gid:
     description: The GID
+    type: int
     required: false
     aliases: ["gidnumber"]
   nonposix:
@@ -69,49 +153,58 @@ options:
     description: List of user names assigned to this group.
     required: false
     type: list
+    elements: str
   group:
     description: List of group names assigned to this group.
     required: false
     type: list
+    elements: str
   service:
     description:
     - List of service names assigned to this group.
     - Only usable with IPA versions 4.7 and up.
     required: false
     type: list
+    elements: str
   membermanager_user:
     description:
     - List of member manager users assigned to this group.
     - Only usable with IPA versions 4.8.4 and up.
     required: false
     type: list
+    elements: str
   membermanager_group:
     description:
     - List of member manager groups assigned to this group.
     - Only usable with IPA versions 4.8.4 and up.
     required: false
     type: list
+    elements: str
   externalmember:
     description:
     - List of members of a trusted domain in DOM\\name or name@domain form.
     required: false
     type: list
-    ailases: ["ipaexternalmember", "external_member"]
+    elements: str
+    aliases: ["ipaexternalmember", "external_member"]
   idoverrideuser:
     description:
     - User ID overrides to add
     required: false
     type: list
+    elements: str
   action:
     description: Work on group or member level
+    type: str
     default: group
     choices: ["member", "group"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -131,6 +224,14 @@ EXAMPLES = """
     ipaadmin_password: SomeADMINpassword
     name: appops
 
+# Create multiple groups ops, sysops
+- ipagroup:
+    ipaadmin_password: SomeADMINpassword
+    groups:
+    - name: ops
+      gidnumber: 1234
+    - name: sysops
+
 # Add user member pinky to group sysops
 - ipagroup:
     ipaadmin_password: SomeADMINpassword
@@ -147,7 +248,7 @@ EXAMPLES = """
     user:
     - brain
 
-# Add group members sysops and appops to group sysops
+# Add group members sysops and appops to group ops
 - ipagroup:
     ipaadmin_password: SomeADMINpassword
     name: ops
@@ -155,6 +256,17 @@ EXAMPLES = """
     - sysops
     - appops
 
+# Add user and group members to groups sysops and appops
+- ipagroup:
+    ipaadmin_password: SomeADMINpassword
+    groups:
+    - name: sysops
+      user:
+        - user1
+    - name: appops
+      group:
+        - group2
+
 # Create a non-POSIX group
 - ipagroup:
     ipaadmin_password: SomeADMINpassword
@@ -176,7 +288,16 @@ EXAMPLES = """
     - WINIPA\\Web Users
     - WINIPA\\Developers
 
-# Remove goups sysops, appops, ops and nongroup
+# Create multiple non-POSIX and external groups
+- ipagroup:
+    ipaadmin_password: SomeADMINpassword
+    groups:
+    - name: nongroup
+      nonposix: true
+    - name: extgroup
+      external: true
+
+# Remove groups sysops, appops, ops and nongroup
 - ipagroup:
     ipaadmin_password: SomeADMINpassword
     name: sysops,appops,ops, nongroup
@@ -190,6 +311,20 @@ from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
     gen_add_list, gen_intersection_list, api_check_param
+from ansible.module_utils import six
+if six.PY3:
+    unicode = str
+# Ensuring (adding) several groups with mixed types external, nonposix
+# and posix require to have a fix in IPA:
+# FreeIPA issue: https://pagure.io/freeipa/issue/9349
+# FreeIPA fix: https://github.com/freeipa/freeipa/pull/6741
+try:
+    from ipaserver.plugins import baseldap
+except ImportError:
+    FIX_6741_DEEPCOPY_OBJECTCLASSES = False
+else:
+    FIX_6741_DEEPCOPY_OBJECTCLASSES = \
+        "deepcopy" in baseldap.LDAPObject.__json__.__code__.co_names
 
 
 def find_group(module, name):
@@ -244,6 +379,22 @@ def gen_member_args(user, group, service, externalmember, idoverrideuser):
     return _args
 
 
+def check_parameters(module, state, action):
+    invalid = []
+    if state == "present":
+        if action == "member":
+            invalid = ["description", "gid", "posix", "nonposix", "external",
+                       "nomembers"]
+
+    else:
+        invalid = ["description", "gid", "posix", "nonposix", "external",
+                   "nomembers"]
+        if action == "group":
+            invalid.extend(["user", "group", "service", "externalmember"])
+
+    module.params_fail_used_invalid(invalid, state, action)
+
+
 def is_external_group(res_find):
     """Verify if the result group is an external group."""
     return res_find and 'ipaexternalgroup' in res_find['objectclass']
@@ -272,39 +423,63 @@ def check_objectclass_args(module, res_find, posix, external):
 
 
 def main():
+    group_spec = dict(
+        # present
+        description=dict(type="str", default=None),
+        gid=dict(type="int", aliases=["gidnumber"], default=None),
+        nonposix=dict(required=False, type='bool', default=None),
+        external=dict(required=False, type='bool', default=None),
+        posix=dict(required=False, type='bool', default=None),
+        nomembers=dict(required=False, type='bool', default=None),
+        user=dict(required=False, type='list', elements="str",
+                  default=None),
+        group=dict(required=False, type='list', elements="str",
+                   default=None),
+        service=dict(required=False, type='list', elements="str",
+                     default=None),
+        idoverrideuser=dict(required=False, type='list', elements="str",
+                            default=None),
+        membermanager_user=dict(required=False, type='list',
+                                elements="str", default=None),
+        membermanager_group=dict(required=False, type='list',
+                                 elements="str", default=None),
+        externalmember=dict(required=False, type='list', elements="str",
+                            default=None,
+                            aliases=[
+                                "ipaexternalmember",
+                                "external_member"
+                            ])
+    )
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"], default=None,
-                      required=True),
-            # present
-            description=dict(type="str", default=None),
-            gid=dict(type="int", aliases=["gidnumber"], default=None),
-            nonposix=dict(required=False, type='bool', default=None),
-            external=dict(required=False, type='bool', default=None),
-            posix=dict(required=False, type='bool', default=None),
-            nomembers=dict(required=False, type='bool', default=None),
-            user=dict(required=False, type='list', default=None),
-            group=dict(required=False, type='list', default=None),
-            service=dict(required=False, type='list', default=None),
-            idoverrideuser=dict(required=False, type='list', default=None),
-            membermanager_user=dict(required=False, type='list', default=None),
-            membermanager_group=dict(required=False, type='list',
-                                     default=None),
-            externalmember=dict(required=False, type='list', default=None,
-                                aliases=[
-                                    "ipaexternalmember",
-                                    "external_member"
-                                ]),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      default=None, required=False),
+            groups=dict(type="list",
+                        default=None,
+                        options=dict(
+                            # Here name is a simple string
+                            name=dict(type="str", required=True,
+                                      aliases=["cn"]),
+                            # Add group specific parameters
+                            **group_spec
+                        ),
+                        elements='dict',
+                        required=False),
+            # general
             action=dict(type="str", default="group",
                         choices=["member", "group"]),
-            # state
             state=dict(type="str", default="present",
                        choices=["present", "absent"]),
+
+            # Add group specific parameters for simple use case
+            **group_spec
         ),
         # It does not make sense to set posix, nonposix or external at the
         # same time
-        mutually_exclusive=[['posix', 'nonposix', 'external']],
+        mutually_exclusive=[['posix', 'nonposix', 'external'],
+                            ["name", "groups"]],
+        required_one_of=[["name", "groups"]],
         supports_check_mode=True,
     )
 
@@ -314,6 +489,7 @@ def main():
 
     # general
     names = ansible_module.params_get("name")
+    groups = ansible_module.params_get("groups")
 
     # present
     description = ansible_module.params_get("description")
@@ -335,31 +511,50 @@ def main():
     state = ansible_module.params_get("state")
 
     # Check parameters
-    invalid = []
+
+    if (names is None or len(names) < 1) and \
+       (groups is None or len(groups) < 1):
+        ansible_module.fail_json(msg="At least one name or groups is required")
 
     if state == "present":
-        if len(names) != 1:
+        if names is not None and len(names) != 1:
             ansible_module.fail_json(
-                msg="Only one group can be added at a time.")
-        if action == "member":
-            invalid = ["description", "gid", "posix", "nonposix", "external",
-                       "nomembers"]
+                msg="Only one group can be added at a time using 'name'.")
 
-    if state == "absent":
-        if len(names) < 1:
-            ansible_module.fail_json(
-                msg="No name given.")
-        invalid = ["description", "gid", "posix", "nonposix", "external",
-                   "nomembers"]
-        if action == "group":
-            invalid.extend(["user", "group", "service", "externalmember"])
-
-    ansible_module.params_fail_used_invalid(invalid, state, action)
+    check_parameters(ansible_module, state, action)
 
     if external is False:
         ansible_module.fail_json(
             msg="group can not be non-external")
 
+    # Ensuring (adding) several groups with mixed types external, nonposix
+    # and posix require to have a fix in IPA:
+    #
+    # FreeIPA issue: https://pagure.io/freeipa/issue/9349
+    # FreeIPA fix: https://github.com/freeipa/freeipa/pull/6741
+    #
+    # The simple solution is to switch to client context for ensuring
+    # several groups simply if the user was not explicitly asking for
+    # the server context no matter if mixed types are used.
+    context = None
+    if state == "present" and groups is not None and len(groups) > 1 \
+       and not FIX_6741_DEEPCOPY_OBJECTCLASSES:
+        _context = ansible_module.params_get("ipaapi_context")
+        if _context is None:
+            context = "client"
+            ansible_module.debug(
+                "Switching to client context due to an unfixed issue in "
+                "your IPA version: https://pagure.io/freeipa/issue/9349")
+        elif _context == "server":
+            ansible_module.fail_json(
+                msg="Ensuring several groups with server context is not "
+                "supported by your IPA version: "
+                "https://pagure.io/freeipa/issue/9349")
+
+    # Use groups if names is None
+    if groups is not None:
+        names = groups
+
     # Init
 
     changed = False
@@ -370,7 +565,7 @@ def main():
         posix = not nonposix
 
     # Connect to IPA API
-    with ansible_module.ipa_connect():
+    with ansible_module.ipa_connect(context=context):
 
         has_add_member_service = ansible_module.ipa_command_param_exists(
             "group_add_member", "service")
@@ -396,8 +591,57 @@ def main():
                 "supported by your IPA version")
 
         commands = []
+        group_set = set()
+
+        for group_name in names:
+            if isinstance(group_name, dict):
+                name = group_name.get("name")
+                if name in group_set:
+                    ansible_module.fail_json(
+                        msg="group '%s' is used more than once" % name)
+                group_set.add(name)
+                # present
+                description = group_name.get("description")
+                gid = group_name.get("gid")
+                nonposix = group_name.get("nonposix")
+                external = group_name.get("external")
+                idoverrideuser = group_name.get("idoverrideuser")
+                posix = group_name.get("posix")
+                # Check mutually exclusive condition for multiple groups
+                # creation. It's not possible to check it with
+                # `mutually_exclusive` argument in `IPAAnsibleModule` class
+                # because it accepts only (list[str] or list[list[str]]). Here
+                # we need to loop over all groups and fail on mutually
+                # exclusive ones.
+                if all((posix, nonposix)) or\
+                   all((posix, external)) or\
+                   all((nonposix, external)):
+                    ansible_module.fail_json(
+                        msg="parameters are mutually exclusive for group "
+                            "`{0}`: posix|nonposix|external".format(name))
+                # Duplicating the condition for multiple group creation
+                if external is False:
+                    ansible_module.fail_json(
+                        msg="group can not be non-external")
+                # If nonposix is used, set posix as not nonposix
+                if nonposix is not None:
+                    posix = not nonposix
+                user = group_name.get("user")
+                group = group_name.get("group")
+                service = group_name.get("service")
+                membermanager_user = group_name.get("membermanager_user")
+                membermanager_group = group_name.get("membermanager_group")
+                externalmember = group_name.get("externalmember")
+                nomembers = group_name.get("nomembers")
+
+                check_parameters(ansible_module, state, action)
+
+            elif isinstance(group_name, (str, unicode)):
+                name = group_name
+            else:
+                ansible_module.fail_json(msg="Group '%s' is not valid" %
+                                         repr(group_name))
 
-        for name in names:
             # Make sure group exists
             res_find = find_group(ansible_module, name)
 
@@ -574,10 +818,12 @@ def main():
                 del_member_args["service"] = service_del
 
             if is_external_group(res_find):
-                add_member_args["ipaexternalmember"] = \
-                    externalmember_add
-                del_member_args["ipaexternalmember"] = \
-                    externalmember_del
+                if len(externalmember_add) > 0:
+                    add_member_args["ipaexternalmember"] = \
+                        externalmember_add
+                if len(externalmember_del) > 0:
+                    del_member_args["ipaexternalmember"] = \
+                        externalmember_del
             elif externalmember or external:
                 ansible_module.fail_json(
                     msg="Cannot add external members to a "

plugins/modules/ipahbacrule.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,30 +32,36 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipahbacrule
-short description: Manage FreeIPA HBAC rules
+short_description: Manage FreeIPA HBAC rules
 description: Manage FreeIPA HBAC rules
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The hbacrule name
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
   description:
     description: The hbacrule description
+    type: str
     required: false
   usercategory:
     description: User category the rule applies to
+    type: str
     required: false
     aliases: ["usercat"]
     choices: ["all", ""]
   hostcategory:
     description: Host category the rule applies to
+    type: str
     required: false
     aliases: ["hostcat"]
     choices: ["all", ""]
   servicecategory:
     description: Service category the rule applies to
+    type: str
     required: false
     aliases: ["servicecat"]
     choices: ["all", ""]
@@ -67,36 +73,44 @@ options:
     description: List of host names assigned to this hbacrule.
     required: false
     type: list
+    elements: str
   hostgroup:
     description: List of host groups assigned to this hbacrule.
     required: false
     type: list
+    elements: str
   hbacsvc:
     description: List of HBAC service names assigned to this hbacrule.
     required: false
     type: list
+    elements: str
   hbacsvcgroup:
     description: List of HBAC service names assigned to this hbacrule.
     required: false
     type: list
+    elements: str
   user:
     description: List of user names assigned to this hbacrule.
     required: false
     type: list
+    elements: str
   group:
     description: List of user groups assigned to this hbacrule.
     required: false
     type: list
+    elements: str
   action:
     description: Work on hbacrule or member level
+    type: str
     default: hbacrule
     choices: ["member", "hbacrule"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent", "enabled", "disabled"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -198,7 +212,7 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                       required=True),
             # present
             description=dict(type="str", default=None),
@@ -209,12 +223,18 @@ def main():
             servicecategory=dict(type="str", default=None,
                                  aliases=["servicecat"], choices=["all", ""]),
             nomembers=dict(required=False, type='bool', default=None),
-            host=dict(required=False, type='list', default=None),
-            hostgroup=dict(required=False, type='list', default=None),
-            hbacsvc=dict(required=False, type='list', default=None),
-            hbacsvcgroup=dict(required=False, type='list', default=None),
-            user=dict(required=False, type='list', default=None),
-            group=dict(required=False, type='list', default=None),
+            host=dict(required=False, type='list', elements="str",
+                      default=None),
+            hostgroup=dict(required=False, type='list', elements="str",
+                           default=None),
+            hbacsvc=dict(required=False, type='list', elements="str",
+                         default=None),
+            hbacsvcgroup=dict(required=False, type='list', elements="str",
+                              default=None),
+            user=dict(required=False, type='list', elements="str",
+                      default=None),
+            group=dict(required=False, type='list', elements="str",
+                       default=None),
             action=dict(type="str", default="hbacrule",
                         choices=["member", "hbacrule"]),
             # state

plugins/modules/ipahbacsvc.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,24 +32,28 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipahbacsvc
-short description: Manage FreeIPA HBAC Services
+short_description: Manage FreeIPA HBAC Services
 description: Manage FreeIPA HBAC Services
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The group name
-    required: false
+    type: list
+    elements: str
+    required: true
     aliases: ["cn", "service"]
   description:
     description: The HBAC Service description
+    type: str
     required: false
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -102,7 +106,7 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn", "service"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn", "service"],
                       required=True),
             # present
 

plugins/modules/ipahbacsvcgroup.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,36 +33,42 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipahbacsvcgroup
-short description: Manage FreeIPA hbacsvcgroups
+short_description: Manage FreeIPA hbacsvcgroups
 description: Manage FreeIPA hbacsvcgroups
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The hbacsvcgroup name
-    required: false
+    type: list
+    elements: str
+    required: true
     aliases: ["cn"]
   description:
     description: The hbacsvcgroup description
+    type: str
     required: false
   hbacsvc:
     description: List of hbacsvc names assigned to this hbacsvcgroup.
     required: false
     type: list
+    elements: str
   nomembers:
     description: Suppress processing of membership attributes
     required: false
     type: bool
   action:
     description: Work on hbacsvcgroup or member level
+    type: str
     default: hbacsvcgroup
     choices: ["member", "hbacsvcgroup"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -159,12 +165,13 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                       required=True),
             # present
             description=dict(type="str", default=None),
             nomembers=dict(required=False, type='bool', default=None),
-            hbacsvc=dict(required=False, type='list', default=None),
+            hbacsvc=dict(required=False, type='list', elements="str",
+                         default=None),
             action=dict(type="str", default="hbacsvcgroup",
                         choices=["member", "hbacsvcgroup"]),
             # state

plugins/modules/ipahost.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,122 +32,157 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipahost
-short description: Manage FreeIPA hosts
+short_description: Manage FreeIPA hosts
 description: Manage FreeIPA hosts
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The full qualified domain name.
+    type: list
+    elements: str
     aliases: ["fqdn"]
-    required: true
-
-  hosts:
-    description: The list of user host dicts
     required: false
-    options:
+  hosts:
+    description: The list of host dicts
+    required: false
+    type: list
+    elements: dict
+    suboptions:
       name:
         description: The host (internally uid).
+        type: str
         aliases: ["fqdn"]
         required: true
       description:
         description: The host description
+        type: str
         required: false
       locality:
         description: Host locality (e.g. "Baltimore, MD")
+        type: str
         required: false
       location:
         description: Host location (e.g. "Lab 2")
+        type: str
         aliases: ["ns_host_location"]
         required: false
       platform:
         description: Host hardware platform (e.g. "Lenovo T61")
+        type: str
         aliases: ["ns_hardware_platform"]
         required: false
       os:
         description: Host operating system and version (e.g. "Fedora 9")
+        type: str
         aliases: ["ns_os_version"]
         required: false
       password:
         description: Password used in bulk enrollment
+        type: str
         aliases: ["user_password", "userpassword"]
         required: false
       random:
         description:
           Initiate the generation of a random password to be used in bulk
           enrollment
+        type: bool
         aliases: ["random_password"]
         required: false
       certificate:
         description: List of base-64 encoded host certificates
         type: list
+        elements: str
         aliases: ["usercertificate"]
         required: false
       managedby_host:
         description: List of hosts that can manage this host
         type: list
-        aliases: ["principalname", "krbprincipalname"]
+        elements: str
         required: false
       principal:
         description: List of principal aliases for this host
         type: list
+        elements: str
         aliases: ["principalname", "krbprincipalname"]
         required: false
       allow_create_keytab_user:
         description: Users allowed to create a keytab of this host
+        type: list
+        elements: str
         aliases: ["ipaallowedtoperform_write_keys_user"]
         required: false
       allow_create_keytab_group:
         description: Groups allowed to create a keytab of this host
+        type: list
+        elements: str
         aliases: ["ipaallowedtoperform_write_keys_group"]
         required: false
       allow_create_keytab_host:
         description: Hosts allowed to create a keytab of this host
+        type: list
+        elements: str
         aliases: ["ipaallowedtoperform_write_keys_host"]
         required: false
       allow_create_keytab_hostgroup:
         description: Hostgroups allowed to create a keytab of this host
+        type: list
+        elements: str
         aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
         required: false
       allow_retrieve_keytab_user:
         description: Users allowed to retrieve a keytab of this host
+        type: list
+        elements: str
         aliases: ["ipaallowedtoperform_read_keys_user"]
         required: false
       allow_retrieve_keytab_group:
         description: Groups allowed to retrieve a keytab of this host
+        type: list
+        elements: str
         aliases: ["ipaallowedtoperform_read_keys_group"]
         required: false
       allow_retrieve_keytab_host:
         description: Hosts allowed to retrieve a keytab of this host
+        type: list
+        elements: str
         aliases: ["ipaallowedtoperform_read_keys_host"]
         required: false
       allow_retrieve_keytab_hostgroup:
         description: Hostgroups allowed to retrieve a keytab of this host
+        type: list
+        elements: str
         aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
         required: false
       mac_address:
         description: List of hardware MAC addresses.
         type: list
+        elements: str
         aliases: ["macaddress"]
         required: false
       sshpubkey:
         description: List of SSH public keys
         type: list
+        elements: str
         aliases: ["ipasshpubkey"]
         required: false
       userclass:
         description:
           Host category (semantics placed on this attribute are for local
           interpretation)
+        type: list
+        elements: str
         aliases: ["class"]
         required: false
       auth_ind:
         description:
-          Defines a whitelist for Authentication Indicators. Use 'otp' to allow
-          OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
-          authentications. Other values may be used for custom configurations.
-          Use empty string to reset auth_ind to the initial value.
+          Defines an allow list for Authentication Indicators. Use 'otp'
+          to allow OTP-based 2FA authentications. Use 'radius' to allow
+          RADIUS-based 2FA authentications. Other values may be used
+          for custom configurations. Use empty string to reset auth_ind
+          to the initial value.
         type: list
+        elements: str
         aliases: ["krbprincipalauthind"]
         choices: ["radius", "otp", "pkinit", "hardened", ""]
         required: false
@@ -169,15 +204,18 @@ options:
         required: false
       force:
         description: Force host name even if not in DNS
+        type: bool
         required: false
       reverse:
         description: Reverse DNS detection
-        default: true
+        type: bool
         required: false
       ip_address:
         description:
           The host IP address list (IPv4 and IPv6). No IP address conflict
           check will be done.
+        type: list
+        elements: str
         aliases: ["ipaddress"]
         required: false
       update_dns:
@@ -185,105 +223,138 @@ options:
           Controls the update of the DNS SSHFP records for existing hosts and
           the removal of all DNS entries if a host gets removed with state
           absent.
+        type: bool
+        aliases: ["updatedns"]
         required: false
   description:
     description: The host description
+    type: str
     required: false
   locality:
     description: Host locality (e.g. "Baltimore, MD")
+    type: str
     required: false
   location:
     description: Host location (e.g. "Lab 2")
+    type: str
     aliases: ["ns_host_location"]
     required: false
   platform:
     description: Host hardware platform (e.g. "Lenovo T61")
+    type: str
     aliases: ["ns_hardware_platform"]
     required: false
   os:
     description: Host operating system and version (e.g. "Fedora 9")
+    type: str
     aliases: ["ns_os_version"]
     required: false
   password:
     description: Password used in bulk enrollment
+    type: str
     aliases: ["user_password", "userpassword"]
     required: false
   random:
     description:
       Initiate the generation of a random password to be used in bulk
       enrollment
+    type: bool
     aliases: ["random_password"]
     required: false
   certificate:
     description: List of base-64 encoded host certificates
     type: list
+    elements: str
     aliases: ["usercertificate"]
     required: false
   managedby_host:
     description: List of hosts that can manage this host
     type: list
-    aliases: ["principalname", "krbprincipalname"]
+    elements: str
     required: false
   principal:
     description: List of principal aliases for this host
     type: list
+    elements: str
     aliases: ["principalname", "krbprincipalname"]
     required: false
   allow_create_keytab_user:
     description: Users allowed to create a keytab of this host
+    type: list
+    elements: str
     aliases: ["ipaallowedtoperform_write_keys_user"]
     required: false
   allow_create_keytab_group:
     description: Groups allowed to create a keytab of this host
+    type: list
+    elements: str
     aliases: ["ipaallowedtoperform_write_keys_group"]
     required: false
   allow_create_keytab_host:
     description: Hosts allowed to create a keytab of this host
+    type: list
+    elements: str
     aliases: ["ipaallowedtoperform_write_keys_host"]
     required: false
   allow_create_keytab_hostgroup:
     description: Hostgroups allowed to create a keytab of this host
+    type: list
+    elements: str
     aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
     required: false
   allow_retrieve_keytab_user:
     description: Users allowed to retrieve a keytab of this host
+    type: list
+    elements: str
     aliases: ["ipaallowedtoperform_read_keys_user"]
     required: false
   allow_retrieve_keytab_group:
     description: Groups allowed to retrieve a keytab of this host
+    type: list
+    elements: str
     aliases: ["ipaallowedtoperform_read_keys_group"]
     required: false
   allow_retrieve_keytab_host:
     description: Hosts allowed to retrieve a keytab of this host
+    type: list
+    elements: str
     aliases: ["ipaallowedtoperform_read_keys_host"]
     required: false
   allow_retrieve_keytab_hostgroup:
     description: Hostgroups allowed to retrieve a keytab of this host
+    type: list
+    elements: str
     aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
     required: false
   mac_address:
     description: List of hardware MAC addresses.
     type: list
+    elements: str
     aliases: ["macaddress"]
     required: false
   sshpubkey:
     description: List of SSH public keys
     type: list
+    elements: str
     aliases: ["ipasshpubkey"]
     required: false
   userclass:
     description:
       Host category (semantics placed on this attribute are for local
       interpretation)
+    type: list
+    elements: str
     aliases: ["class"]
     required: false
   auth_ind:
     description:
-      Defines a whitelist for Authentication Indicators. Use 'otp' to allow
-      OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
-      authentications. Other values may be used for custom configurations.
-      Use empty string to reset auth_ind to the initial value.
+      Defines an allow list for Authentication Indicators. Use 'otp'
+      to allow OTP-based 2FA authentications. Use 'radius' to allow
+      RADIUS-based 2FA authentications. Other values may be used
+      for custom configurations. Use empty string to reset auth_ind
+      to the initial value.
     type: list
+    elements: str
     aliases: ["krbprincipalauthind"]
     choices: ["radius", "otp", "pkinit", "hardened", ""]
     required: false
@@ -298,21 +369,25 @@ options:
     aliases: ["ipakrbokasdelegate"]
     required: false
   ok_to_auth_as_delegate:
-    description: The service is allowed to authenticate on behalf of a client
+    description:
+      The service is allowed to authenticate on behalf of a client
     type: bool
     aliases: ["ipakrboktoauthasdelegate"]
     required: false
   force:
     description: Force host name even if not in DNS
+    type: bool
     required: false
   reverse:
     description: Reverse DNS detection
-    default: true
+    type: bool
     required: false
   ip_address:
     description:
       The host IP address list (IPv4 and IPv6). No IP address conflict
       check will be done.
+    type: list
+    elements: str
     aliases: ["ipaddress"]
     required: false
   update_dns:
@@ -320,23 +395,27 @@ options:
       Controls the update of the DNS SSHFP records for existing hosts and
       the removal of all DNS entries if a host gets removed with state
       absent.
+    type: bool
+    aliases: ["updatedns"]
     required: false
   update_password:
     description:
       Set password for a host in present state only on creation or always
-    default: 'always'
+    type: str
     choices: ["always", "on_create"]
   action:
     description: Work on host or member level
+    type: str
     default: "host"
     choices: ["member", "host"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent",
               "disabled"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -362,6 +441,15 @@ EXAMPLES = """
     description: Example host
     force: yes
 
+# Ensure multiple hosts are present with random passwords
+- ipahost:
+    ipaadmin_password: SomeADMINpassword
+    hosts:
+    - name: host01.example.com
+      random: yes
+    - name: host02.example.com
+      random: yes
+
 # Initiate generation of a random password for the host
 - ipahost:
     ipaadmin_password: SomeADMINpassword
@@ -370,6 +458,18 @@ EXAMPLES = """
     ip_address: 192.168.0.123
     random: yes
 
+# Ensure multiple hosts are present with principals
+- ipahost:
+    ipaadmin_password: SomeADMINpassword
+    hosts:
+    - name: host01.example.com
+      principal:
+      - host/testhost01.example.com
+    - name: host02.example.com
+      principal:
+      - host/myhost01.example.com
+    action: member
+
 # Ensure host is disabled
 - ipahost:
     ipaadmin_password: SomeADMINpassword
@@ -387,19 +487,23 @@ EXAMPLES = """
 RETURN = """
 host:
   description: Host dict with random password
-  returned: If random is yes and user did not exist or update_password is yes
+  returned: If random is yes and host did not exist or update_password is yes
   type: dict
-  options:
+  contains:
     randompassword:
       description: The generated random password
-      returned: If only one user is handled by the module
+      type: str
+      returned: |
+        If only one host is handled by the module without using hosts parameter
     name:
-      description: The user name of the user that got a new random password
-      returned: If several users are handled by the module
+      description: The host name of the host that got a new random password
+      returned: |
+        If several hosts are handled by the module with the hosts parameter
       type: dict
-      options:
+      contains:
         randompassword:
           description: The generated random password
+          type: str
           returned: always
 """
 
@@ -565,10 +669,10 @@ def check_parameters(   # pylint: disable=unused-argument
 
 # pylint: disable=unused-argument
 def result_handler(module, result, command, name, args, errors, exit_args,
-                   one_name):
+                   single_host):
     if "random" in args and command in ["host_add", "host_mod"] \
        and "randompassword" in result["result"]:
-        if one_name:
+        if single_host:
             exit_args["randompassword"] = \
                 result["result"]["randompassword"]
         else:
@@ -590,7 +694,7 @@ def result_handler(module, result, command, name, args, errors, exit_args,
 
 
 # pylint: disable=unused-argument
-def exception_handler(module, ex, errors, exit_args, one_name):
+def exception_handler(module, ex, errors, exit_args, single_host):
     msg = str(ex)
     if "already contains" in msg \
        or "does not contain" in msg:
@@ -626,52 +730,52 @@ def main():
                       default=None, no_log=True),
         random=dict(type="bool", aliases=["random_password"],
                     default=None),
-        certificate=dict(type="list", aliases=["usercertificate"],
-                         default=None),
-        managedby_host=dict(type="list",
-                            default=None),
-        principal=dict(type="list", aliases=["krbprincipalname"],
+        certificate=dict(type="list", elements="str",
+                         aliases=["usercertificate"], default=None),
+        managedby_host=dict(type="list", elements="str", default=None),
+        principal=dict(type="list", elements="str",
+                       aliases=["principalname", "krbprincipalname"],
                        default=None),
         allow_create_keytab_user=dict(
-            type="list",
+            type="list", elements="str",
             aliases=["ipaallowedtoperform_write_keys_user"],
-            default=None),
+            default=None, no_log=False),
         allow_create_keytab_group=dict(
-            type="list",
+            type="list", elements="str",
             aliases=["ipaallowedtoperform_write_keys_group"],
-            default=None),
+            default=None, no_log=False),
         allow_create_keytab_host=dict(
-            type="list",
+            type="list", elements="str",
             aliases=["ipaallowedtoperform_write_keys_host"],
-            default=None),
+            default=None, no_log=False),
         allow_create_keytab_hostgroup=dict(
-            type="list",
+            type="list", elements="str",
             aliases=["ipaallowedtoperform_write_keys_hostgroup"],
-            default=None),
+            default=None, no_log=False),
         allow_retrieve_keytab_user=dict(
-            type="list",
-            aliases=["ipaallowedtoperform_write_keys_user"],
-            default=None),
+            type="list", elements="str",
+            aliases=["ipaallowedtoperform_read_keys_user"],
+            default=None, no_log=False),
         allow_retrieve_keytab_group=dict(
-            type="list",
-            aliases=["ipaallowedtoperform_write_keys_group"],
-            default=None),
+            type="list", elements="str",
+            aliases=["ipaallowedtoperform_read_keys_group"],
+            default=None, no_log=False),
         allow_retrieve_keytab_host=dict(
-            type="list",
-            aliases=["ipaallowedtoperform_write_keys_host"],
-            default=None),
+            type="list", elements="str",
+            aliases=["ipaallowedtoperform_read_keys_host"],
+            default=None, no_log=False),
         allow_retrieve_keytab_hostgroup=dict(
-            type="list",
-            aliases=["ipaallowedtoperform_write_keys_hostgroup"],
-            default=None),
-        mac_address=dict(type="list", aliases=["macaddress"],
+            type="list", elements="str",
+            aliases=["ipaallowedtoperform_read_keys_hostgroup"],
+            default=None, no_log=False),
+        mac_address=dict(type="list", elements="str", aliases=["macaddress"],
                          default=None),
-        sshpubkey=dict(type="str", aliases=["ipasshpubkey"],
+        sshpubkey=dict(type="list", elements="str", aliases=["ipasshpubkey"],
                        default=None),
-        userclass=dict(type="list", aliases=["class"],
+        userclass=dict(type="list", elements="str", aliases=["class"],
                        default=None),
-        auth_ind=dict(type='list', aliases=["krbprincipalauthind"],
-                      default=None,
+        auth_ind=dict(type='list', elements="str",
+                      aliases=["krbprincipalauthind"], default=None,
                       choices=['radius', 'otp', 'pkinit', 'hardened', '']),
         requires_pre_auth=dict(type="bool", aliases=["ipakrbrequirespreauth"],
                                default=None),
@@ -682,7 +786,7 @@ def main():
                                     default=None),
         force=dict(type='bool', default=None),
         reverse=dict(type='bool', default=None),
-        ip_address=dict(type="list", aliases=["ipaddress"],
+        ip_address=dict(type="list", elements="str", aliases=["ipaddress"],
                         default=None),
         update_dns=dict(type="bool", aliases=["updatedns"],
                         default=None),
@@ -695,8 +799,8 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["fqdn"], default=None,
-                      required=False),
+            name=dict(type="list", elements="str", aliases=["fqdn"],
+                      default=None, required=False),
 
             hosts=dict(type="list", default=None,
                        options=dict(
@@ -762,7 +866,8 @@ def main():
     allow_retrieve_keytab_hostgroup = ansible_module.params_get(
         "allow_retrieve_keytab_hostgroup")
     mac_address = ansible_module.params_get("mac_address")
-    sshpubkey = ansible_module.params_get("sshpubkey")
+    sshpubkey = ansible_module.params_get("sshpubkey",
+                                          allow_empty_string=True)
     userclass = ansible_module.params_get("userclass")
     auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True)
     requires_pre_auth = ansible_module.params_get("requires_pre_auth")
@@ -1386,7 +1491,7 @@ def main():
 
         changed = ansible_module.execute_ipa_commands(
             commands, result_handler, exception_handler,
-            exit_args=exit_args, one_name=len(names) == 1)
+            exit_args=exit_args, single_host=hosts is None)
 
     # Done
 

plugins/modules/ipahostgroup.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,17 +33,20 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipahostgroup
-short description: Manage FreeIPA hostgroups
+short_description: Manage FreeIPA hostgroups
 description: Manage FreeIPA hostgroups
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The hostgroup name
-    required: false
+    type: list
+    elements: str
+    required: true
     aliases: ["cn"]
   description:
     description: The hostgroup description
+    type: str
     required: false
   nomembers:
     description: Suppress processing of membership attributes
@@ -53,38 +56,45 @@ options:
     description: List of host names assigned to this hostgroup.
     required: false
     type: list
+    elements: str
   hostgroup:
     description: List of hostgroup names assigned to this hostgroup.
     required: false
     type: list
+    elements: str
   membermanager_user:
     description:
     - List of member manager users assigned to this hostgroup.
     - Only usable with IPA versions 4.8.4 and up.
     required: false
     type: list
+    elements: str
   membermanager_group:
     description:
     - List of member manager groups assigned to this hostgroup.
     - Only usable with IPA versions 4.8.4 and up.
     required: false
     type: list
+    elements: str
   rename:
     description:
     - Rename hostgroup to the given name.
     - Only usable with IPA versions 4.8.7 and up.
+    type: str
     required: false
     aliases: ["new_name"]
   action:
     description: Work on hostgroup or member level
+    type: str
     default: hostgroup
     choices: ["member", "hostgroup"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent", "renamed"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -185,16 +195,19 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                       required=True),
             # present
             description=dict(type="str", default=None),
             nomembers=dict(required=False, type='bool', default=None),
-            host=dict(required=False, type='list', default=None),
-            hostgroup=dict(required=False, type='list', default=None),
-            membermanager_user=dict(required=False, type='list', default=None),
+            host=dict(required=False, type='list', elements="str",
+                      default=None),
+            hostgroup=dict(required=False, type='list', elements="str",
+                           default=None),
+            membermanager_user=dict(required=False, type='list',
+                                    elements="str", default=None),
             membermanager_group=dict(required=False, type='list',
-                                     default=None),
+                                     elements="str", default=None),
             rename=dict(required=False, type='str', default=None,
                         aliases=["new_name"]),
             action=dict(type="str", default="hostgroup",

plugins/modules/ipaidrange.py

@@ -2,6 +2,7 @@
 
 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
 # Copyright (C) 2022 Red Hat
 # see file 'COPYING' for use and warranty information
@@ -32,7 +33,7 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaidrange
-short description: Manage FreeIPA idrange
+short_description: Manage FreeIPA idrange
 description: Manage FreeIPA idrange
 extends_documentation_fragment:
   - ipamodule_base_docs
@@ -40,6 +41,8 @@ extends_documentation_fragment:
 options:
   name:
     description: The list of idrange name strings.
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
   base_id:
@@ -64,33 +67,37 @@ options:
     aliases: ["ipasecondarybaserid"]
   idrange_type:
     description: ID range type.
-    type: string
+    type: str
     required: false
     choices: ["ipa-ad-trust", "ipa-ad-trust-posix", "ipa-local"]
     aliases: ["iparangetype"]
   dom_sid:
     description: Domain SID of the trusted domain.
-    type: string
+    type: str
     required: false
     aliases: ["ipanttrusteddomainsid"]
   dom_name:
     description: |
       Domain name of the trusted domain. Can only be used when
       `ipaapi_context: server`.
-    type: string
+    type: str
     required: false
     aliases: ["ipanttrusteddomainname"]
   auto_private_groups:
     description: Auto creation of private groups.
-    type: string
+    type: str
     required: false
     choices: ["true", "false", "hybrid"]
     aliases: ["ipaautoprivategroups"]
   state:
     description: The state to ensure.
+    type: str
     choices: ["present", "absent"]
     default: present
-    required: true
+    required: false
+author:
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -184,8 +191,8 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"],
-                      default=None, required=True),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      required=True),
             # present
             base_id=dict(required=False, type='int',
                          aliases=["ipabaseid"], default=None),

plugins/modules/ipalocation.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,23 +32,29 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipalocation
-short description: Manage FreeIPA location
+short_description: Manage FreeIPA location
 description: Manage FreeIPA location
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The list of location name strings.
+    type: list
+    elements: str
     required: true
     aliases: ["idnsname"]
   description:
     description: The IPA location string
+    type: str
     required: false
   state:
     description: The state to ensure.
+    type: str
     choices: ["present", "absent"]
     default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -94,8 +100,8 @@ def gen_args(description):
 def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
-            name=dict(type="list", aliases=["idnsname"],
-                      default=None, required=True),
+            name=dict(type="list", elements="str", aliases=["idnsname"],
+                      required=True),
             # present
             description=dict(required=False, type='str', default=None),
             # state

plugins/modules/ipanetgroup.py

@@ -0,0 +1,436 @@
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Denis Karpelevich <dkarpele@redhat.com>
+#
+# Copyright (C) 2022 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    "metadata_version": "1.0",
+    "supported_by": "community",
+    "status": ["preview"],
+}
+
+DOCUMENTATION = """
+---
+module: ipanetgroup
+short_description: NIS entities can be stored in netgroups.
+description: |
+  A netgroup is a group used for permission checking.
+  It can contain both user and host values.
+extends_documentation_fragment:
+  - ipamodule_base_docs
+  - ipamodule_base_docs.delete_continue
+options:
+  name:
+    description: The list of netgroup name strings.
+    required: true
+    type: list
+    elements: str
+    aliases: ["cn"]
+  description:
+    description: Netgroup description
+    required: false
+    type: str
+    aliases: ["desc"]
+  nisdomain:
+    description: NIS domain name
+    required: false
+    type: str
+    aliases: ["nisdomainname"]
+  nomembers:
+    description: Suppress processing of membership attributes
+    required: false
+    type: bool
+  user:
+    description: List of user names assigned to this netgroup.
+    required: false
+    type: list
+    elements: str
+    aliases: ["users"]
+  group:
+    description: List of group names assigned to this netgroup.
+    required: false
+    type: list
+    elements: str
+    aliases: ["groups"]
+  host:
+    description: List of host names assigned to this netgroup.
+    required: false
+    type: list
+    elements: str
+    aliases: ["hosts"]
+  hostgroup:
+    description: List of host group names assigned to this netgroup.
+    required: false
+    type: list
+    elements: str
+    aliases: ["hostgroups"]
+  netgroup:
+    description: List of netgroup names assigned to this netgroup.
+    required: false
+    type: list
+    elements: str
+    aliases: ["netgroups"]
+  action:
+    description: Work on netgroup or member level
+    required: false
+    type: str
+    default: netgroup
+    choices: ["member", "netgroup"]
+  state:
+    description: The state to ensure.
+    type: str
+    choices: ["present", "absent"]
+    default: present
+author:
+    - Denis Karpelevich (@dkarpele)
+"""
+
+EXAMPLES = """
+- name: Ensure netgroup my_netgroup1 is present
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: my_netgroup1
+    description: My netgroup 1
+
+- name: Ensure netgroup my_netgroup1 is absent
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: my_netgroup1
+    state: absent
+
+- name: Ensure netgroup is present with user "user1"
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: TestNetgroup1
+    user: user1
+    action: member
+
+- name: Ensure netgroup user, "user1", is absent
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: TestNetgroup1
+    user: "user1"
+    action: member
+    state: absent
+
+- name: Ensure netgroup is present with members
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name: TestNetgroup1
+    user: user1,user2
+    group: group1
+    host: host1
+    hostgroup: ipaservers
+    netgroup: admins
+    action: member
+
+- name: Ensure 2 netgroups TestNetgroup1, admins are absent
+  ipanetgroup:
+    ipaadmin_password: SomeADMINpassword
+    name:
+    - TestNetgroup1
+    - admins
+    state: absent
+"""
+
+RETURN = """
+"""
+
+
+from ansible.module_utils.ansible_freeipa_module import \
+    IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
+    gen_add_list, gen_intersection_list, ensure_fqdn
+
+
+def find_netgroup(module, name):
+    """Find if a netgroup with the given name already exist."""
+    _args = {
+        "all": True,
+        "cn": name,
+    }
+
+    # `netgroup_find` is used here instead of `netgroup_show` to workaround
+    # FreeIPA bug https://pagure.io/freeipa/issue/9284.
+    # `ipa netgroup-show hostgroup` shows hostgroup - it's a bug.
+    # `ipa netgroup-find hostgroup` doesn't show hostgroup - it's correct.
+    _result = module.ipa_command("netgroup_find", name, _args)
+
+    if len(_result["result"]) > 1:
+        module.fail_json(
+            msg="There is more than one netgroup '%s'" % name)
+    elif len(_result["result"]) == 1:
+        return _result["result"][0]
+
+    return None
+
+
+def gen_args(description, nisdomain, nomembers):
+    _args = {}
+    if description is not None:
+        _args["description"] = description
+    if nisdomain is not None:
+        _args["nisdomainname"] = nisdomain
+    if nomembers is not None:
+        _args["nomembers"] = nomembers
+
+    return _args
+
+
+def gen_member_args(user, group, host, hostgroup, netgroup):
+    _args = {}
+    if user is not None:
+        _args["memberuser_user"] = user
+    if group is not None:
+        _args["memberuser_group"] = group
+    if host is not None:
+        _args["memberhost_host"] = host
+    if hostgroup is not None:
+        _args["memberhost_hostgroup"] = hostgroup
+    if netgroup is not None:
+        _args["member_netgroup"] = netgroup
+
+    return _args
+
+
+def main():
+    ansible_module = IPAAnsibleModule(
+        argument_spec=dict(
+            # general
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      required=True),
+            # present
+            description=dict(required=False, type='str',
+                             aliases=["desc"], default=None),
+            nisdomain=dict(required=False, type='str',
+                           aliases=["nisdomainname"], default=None),
+            nomembers=dict(required=False, type='bool', default=None),
+            user=dict(required=False, type='list', elements="str",
+                      aliases=["users"], default=None),
+            group=dict(required=False, type='list', elements="str",
+                       aliases=["groups"], default=None),
+            host=dict(required=False, type='list', elements="str",
+                      aliases=["hosts"], default=None),
+            hostgroup=dict(required=False, type='list', elements="str",
+                           aliases=["hostgroups"], default=None),
+            netgroup=dict(required=False, type='list', elements="str",
+                          aliases=["netgroups"], default=None),
+            action=dict(required=False, type="str", default="netgroup",
+                        choices=["member", "netgroup"]),
+            # state
+            state=dict(type="str", default="present",
+                       choices=["present", "absent"]),
+        ),
+        supports_check_mode=True,
+        ipa_module_options=["delete_continue"],
+    )
+
+    ansible_module._ansible_debug = True
+
+    # Get parameters
+
+    # general
+    names = ansible_module.params_get("name")
+
+    # present
+    description = ansible_module.params_get("description")
+    nisdomain = ansible_module.params_get("nisdomain")
+    nomembers = ansible_module.params_get("nomembers")
+    user = ansible_module.params_get_lowercase("user")
+    group = ansible_module.params_get_lowercase("group")
+    host = ansible_module.params_get_lowercase("host")
+    hostgroup = ansible_module.params_get_lowercase("hostgroup")
+    netgroup = ansible_module.params_get_lowercase("netgroup")
+    action = ansible_module.params_get("action")
+
+    # state
+    state = ansible_module.params_get("state")
+
+    # Check parameters
+
+    invalid = []
+
+    if state == "present":
+        if len(names) != 1:
+            ansible_module.fail_json(
+                msg="Only one netgroup can be added at a time.")
+        if action == "member":
+            invalid = ["description", "nisdomain", "nomembers"]
+
+    if state == "absent":
+        if len(names) < 1:
+            ansible_module.fail_json(msg="No name given.")
+        if len(names) != 1 and action == "member":
+            ansible_module.fail_json(msg="Members can be removed only from one"
+                                         " netgroup at a time.")
+        invalid = ["description", "nisdomain", "nomembers"]
+        if action == "netgroup":
+            invalid.extend(["user", "group", "host", "hostgroup", "netgroup"])
+
+    ansible_module.params_fail_used_invalid(invalid, state)
+
+    # Init
+
+    exit_args = {}
+
+    # Connect to IPA API
+    with ansible_module.ipa_connect():
+        # Ensure fqdn host names, use default domain for simple names
+        if host is not None:
+            default_domain = ansible_module.ipa_get_domain()
+            host = [ensure_fqdn(_host, default_domain).lower()
+                    for _host in host]
+
+        commands = []
+        for name in names:
+            # Make sure netgroup exists
+            res_find = find_netgroup(ansible_module, name)
+
+            user_add, user_del = [], []
+            group_add, group_del = [], []
+            host_add, host_del = [], []
+            hostgroup_add, hostgroup_del = [], []
+            netgroup_add, netgroup_del = [], []
+
+            # Create command
+            if state == "present":
+                # Generate args
+                args = gen_args(description, nisdomain, nomembers)
+
+                if action == "netgroup":
+                    # Found the netgroup
+                    if res_find is not None:
+                        # For all settings is args, check if there are
+                        # different settings in the find result.
+                        # If yes: modify
+                        if not compare_args_ipa(ansible_module, args,
+                                                res_find):
+                            commands.append([name, "netgroup_mod", args])
+                    else:
+                        commands.append([name, "netgroup_add", args])
+                        res_find = {}
+
+                    member_args = gen_member_args(
+                        user, group, host, hostgroup, netgroup
+                    )
+                    if not compare_args_ipa(ansible_module, member_args,
+                                            res_find):
+                        # Generate addition and removal lists
+                        user_add, user_del = gen_add_del_lists(
+                            user, res_find.get("memberuser_user"))
+
+                        group_add, group_del = gen_add_del_lists(
+                            group, res_find.get("memberuser_group"))
+
+                        host_add, host_del = gen_add_del_lists(
+                            host, res_find.get("memberhost_host"))
+
+                        hostgroup_add, hostgroup_del = gen_add_del_lists(
+                            hostgroup, res_find.get("memberhost_hostgroup"))
+
+                        netgroup_add, netgroup_del = gen_add_del_lists(
+                            netgroup, res_find.get("member_netgroup"))
+
+                elif action == "member":
+                    if res_find is None:
+                        ansible_module.fail_json(msg="No netgroup '%s'" % name)
+
+                    # Reduce add lists for memberuser_user, memberuser_group,
+                    # member_service and member_external to new entries
+                    # only that are not in res_find.
+                    user_add = gen_add_list(
+                        user, res_find.get("memberuser_user"))
+                    group_add = gen_add_list(
+                        group, res_find.get("memberuser_group"))
+                    host_add = gen_add_list(
+                        host, res_find.get("memberhost_host"))
+                    hostgroup_add = gen_add_list(
+                        hostgroup, res_find.get("memberhost_hostgroup"))
+                    netgroup_add = gen_add_list(
+                        netgroup, res_find.get("member_netgroup"))
+
+            elif state == "absent":
+                if action == "netgroup":
+                    if res_find is not None:
+                        commands.append([name, "netgroup_del", {}])
+
+                elif action == "member":
+                    if res_find is None:
+                        ansible_module.fail_json(msg="No netgroup '%s'" % name)
+                    user_del = gen_intersection_list(
+                        user, res_find.get("memberuser_user"))
+                    group_del = gen_intersection_list(
+                        group, res_find.get("memberuser_group"))
+                    host_del = gen_intersection_list(
+                        host, res_find.get("memberhost_host"))
+                    hostgroup_del = gen_intersection_list(
+                        hostgroup, res_find.get("memberhost_hostgroup"))
+                    netgroup_del = gen_intersection_list(
+                        netgroup, res_find.get("member_netgroup"))
+
+            else:
+                ansible_module.fail_json(msg="Unknown state '%s'" % state)
+
+            # manage members
+            # setup member args for add/remove members.
+            add_member_args = {
+                "user": user_add,
+                "group": group_add,
+                "host": host_add,
+                "hostgroup": hostgroup_add,
+                "netgroup": netgroup_add
+            }
+
+            del_member_args = {
+                "user": user_del,
+                "group": group_del,
+                "host": host_del,
+                "hostgroup": hostgroup_del,
+                "netgroup": netgroup_del
+            }
+
+            # Add members
+            add_members = any([user_add, group_add, host_add,
+                               hostgroup_add, netgroup_add])
+            if add_members:
+                commands.append(
+                    [name, "netgroup_add_member", add_member_args]
+                )
+            # Remove members
+            remove_members = any([user_del, group_del, host_del,
+                                  hostgroup_del, netgroup_del])
+            if remove_members:
+                commands.append(
+                    [name, "netgroup_remove_member", del_member_args]
+                )
+        # Execute commands
+
+        changed = ansible_module.execute_ipa_commands(
+            commands, fail_on_member_errors=True)
+
+    # Done
+
+    ansible_module.exit_json(changed=changed, **exit_args)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/ipapermission.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Seth Kress <kresss@gmail.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,13 +33,15 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipapermission
-short description: Manage FreeIPA permission
+short_description: Manage FreeIPA permission
 description: Manage FreeIPA permission and permission members
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The permission name string.
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
   right:
@@ -46,52 +49,64 @@ options:
     required: false
     choices: ["read", "search", "compare", "write", "add", "delete", "all"]
     type: list
+    elements: str
     aliases: ["ipapermright"]
   attrs:
     description: All attributes to which the permission applies
     required: false
     type: list
+    elements: str
   bindtype:
     description: Bind rule type
     required: false
-    choices: ["permission", "all", "anonymous"]
+    type: str
+    choices: ["permission", "all", "anonymous", "self"]
     aliases: ["ipapermbindruletype"]
   subtree:
     description: Subtree to apply permissions to
+    type: str
     required: false
     aliases: ["ipapermlocation"]
-  filter:
+  extra_target_filter:
     description: Extra target filter
     required: false
     type: list
-    aliases: ["extratargetfilter"]
+    elements: str
+    aliases: ["filter", "extratargetfilter"]
   rawfilter:
     description: All target filters
     required: false
     type: list
+    elements: str
     aliases: ["ipapermtargetfilter"]
   target:
     description: Optional DN to apply the permission to
+    type: str
     required: false
     aliases: ["ipapermtarget"]
   targetto:
     description: Optional DN subtree where an entry can be moved to
+    type: str
     required: false
     aliases: ["ipapermtargetto"]
   targetfrom:
     description: Optional DN subtree from where an entry can be moved
+    type: str
     required: false
     aliases: ["ipapermtargetfrom"]
   memberof:
     description: Target members of a group (sets memberOf targetfilter)
     required: false
     type: list
+    elements: str
   targetgroup:
     description: User group to apply permissions to (sets target)
+    type: str
     required: false
     aliases: ["targetgroup"]
   object_type:
     description: Type of IPA object (sets subtree and objectClass targetfilter)
+    type: str
     required: false
     aliases: ["type"]
   no_members:
@@ -100,18 +115,24 @@ options:
     type: bool
   rename:
     description: Rename the permission object
+    type: str
     required: false
     aliases: ["new_name"]
   action:
     description: Work on permission or member privilege level.
+    type: str
     choices: ["permission", "member"]
     default: permission
     required: false
   state:
     description: The state to ensure.
+    type: str
     choices: ["present", "absent", "renamed"]
     default: present
-    required: true
+    required: false
+author:
+  - Seth Kress (@kresss)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -203,24 +224,26 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"],
-                      default=None, required=True),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      required=True),
             # present
-            right=dict(type="list", aliases=["ipapermright"], default=None,
-                       required=False,
+            right=dict(type="list", elements="str", aliases=["ipapermright"],
+                       default=None, required=False,
                        choices=["read", "search", "compare", "write", "add",
                                 "delete", "all"]),
-            attrs=dict(type="list", default=None, required=False),
+            attrs=dict(type="list", elements="str", default=None,
+                       required=False),
             # Note: bindtype has a default of permission for Adds.
             bindtype=dict(type="str", aliases=["ipapermbindruletype"],
-                          default=None, require=False, choices=["permission",
+                          default=None, required=False, choices=["permission",
                           "all", "anonymous", "self"]),
             subtree=dict(type="str", aliases=["ipapermlocation"], default=None,
                          required=False),
-            extra_target_filter=dict(type="list", aliases=["filter",
-                                     "extratargetfilter"], default=None,
-                                     required=False),
-            rawfilter=dict(type="list", aliases=["ipapermtargetfilter"],
+            extra_target_filter=dict(type="list", elements="str",
+                                     aliases=["filter", "extratargetfilter"],
+                                     default=None, required=False),
+            rawfilter=dict(type="list", elements="str",
+                           aliases=["ipapermtargetfilter"],
                            default=None, required=False),
             target=dict(type="str", aliases=["ipapermtarget"], default=None,
                         required=False),
@@ -228,11 +251,12 @@ def main():
                           default=None, required=False),
             targetfrom=dict(type="str", aliases=["ipapermtargetfrom"],
                             default=None, required=False),
-            memberof=dict(type="list", default=None, required=False),
+            memberof=dict(type="list", elements="str", default=None,
+                          required=False),
             targetgroup=dict(type="str", default=None, required=False),
             object_type=dict(type="str", aliases=["type"], default=None,
                              required=False),
-            no_members=dict(type=bool, default=None, require=False),
+            no_members=dict(type="bool", default=None, required=False),
             rename=dict(type="str", default=None, required=False,
                         aliases=["new_name"]),
             action=dict(type="str", default="permission",

plugins/modules/ipaprivilege.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -35,35 +36,46 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaprivilege
-short description: Manage FreeIPA privilege
+short_description: Manage FreeIPA privilege
 description: Manage FreeIPA privilege and privilege members
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The list of privilege name strings.
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
   description:
     description: Privilege description
+    type: str
     required: false
   rename:
     description: Rename the privilege object.
+    type: str
     required: false
     aliases: ["new_name"]
   permission:
     description: Permissions to be added to the privilege.
+    type: list
+    elements: str
     required: false
   action:
     description: Work on privilege or member level.
+    type: str
     choices: ["privilege", "member"]
     default: privilege
     required: false
   state:
     description: The state to ensure.
+    type: str
     choices: ["present", "absent", "renamed"]
     default: present
-    required: true
+    required: false
+author:
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -134,13 +146,14 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"],
-                      default=None, required=True),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      required=True),
             # present
             description=dict(required=False, type='str', default=None),
             rename=dict(required=False, type='str', default=None,
                         aliases=["new_name"], ),
-            permission=dict(required=False, type='list', default=None),
+            permission=dict(required=False, type='list', elements="str",
+                            default=None),
             action=dict(type="str", default="privilege",
                         choices=["member", "privilege"]),
             # state

plugins/modules/ipapwpolicy.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
+#   Rafael Guterres Jeffman <rjeffman@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,70 +33,105 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipapwpolicy
-short description: Manage FreeIPA pwpolicies
+short_description: Manage FreeIPA pwpolicies
 description: Manage FreeIPA pwpolicies
+extends_documentation_fragment:
+  - ipamodule_base_docs
 options:
-  ipaadmin_principal:
-    description: The admin principal
-    default: admin
-  ipaadmin_password:
-    description: The admin password
-    required: false
   name:
     description: The group name
+    type: list
+    elements: str
     required: false
     aliases: ["cn"]
   maxlife:
     description: Maximum password lifetime (in days)
-    type: int
+    type: str
     required: false
     aliases: ["krbmaxpwdlife"]
   minlife:
     description: Minimum password lifetime (in hours)
-    type: int
+    type: str
     required: false
     aliases: ["krbminpwdlife"]
   history:
     description: Password history size
-    type: int
+    type: str
     required: false
     aliases: ["krbpwdhistorylength"]
   minclasses:
     description: Minimum number of character classes
-    type: int
+    type: str
     required: false
     aliases: ["krbpwdmindiffchars"]
   minlength:
     description: Minimum length of password
-    type: int
+    type: str
     required: false
     aliases: ["krbpwdminlength"]
   priority:
     description: Priority of the policy (higher number means lower priority)
-    type: int
+    type: str
     required: false
     aliases: ["cospriority"]
   maxfail:
     description: Consecutive failures before lockout
-    type: int
+    type: str
     required: false
     aliases: ["krbpwdmaxfailure"]
   failinterval:
     description: Period after which failure count will be reset (seconds)
-    type: int
+    type: str
     required: false
     aliases: ["krbpwdfailurecountinterval"]
   lockouttime:
     description: Period for which lockout is enforced (seconds)
-    type: int
+    type: str
     required: false
     aliases: ["krbpwdlockoutduration"]
+  maxrepeat:
+    description: >
+      Maximum number of same consecutive characters.
+      Requires IPA 4.9+
+    type: str
+    required: false
+    aliases: ["ipapwdmaxrepeat"]
+  maxsequence:
+    description: >
+      The maximum length of monotonic character sequences (abcd).
+      Requires IPA 4.9+
+    type: str
+    required: false
+    aliases: ["ipapwdmaxsequence"]
+  dictcheck:
+    description: >
+      Check if the password is a dictionary word.
+      Requires IPA 4.9+
+    type: str
+    required: false
+    aliases: ["ipapwdictcheck"]
+  usercheck:
+    description: >
+      Check if the password contains the username.
+      Requires IPA 4.9+
+    type: str
+    required: false
+    aliases: ["ipapwdusercheck"]
+  gracelimit:
+    description: >
+      Number of LDAP authentications allowed after expiration.
+      Requires IPA 4.10.1+
+    type: str
+    required: false
+    aliases: ["passwordgracelimit"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
+  - Rafael Guterres Jeffman (@rjeffman)
 """
 
 EXAMPLES = """
@@ -135,8 +171,10 @@ def find_pwpolicy(module, name):
     return None
 
 
-def gen_args(maxlife, minlife, history, minclasses, minlength, priority,
-             maxfail, failinterval, lockouttime):
+def gen_args(module,
+             maxlife, minlife, history, minclasses, minlength, priority,
+             maxfail, failinterval, lockouttime, maxrepeat, maxsequence,
+             dictcheck, usercheck, gracelimit):
     _args = {}
     if maxlife is not None:
         _args["krbmaxpwdlife"] = maxlife
@@ -156,34 +194,89 @@ def gen_args(maxlife, minlife, history, minclasses, minlength, priority,
         _args["krbpwdfailurecountinterval"] = failinterval
     if lockouttime is not None:
         _args["krbpwdlockoutduration"] = lockouttime
+    if maxrepeat is not None:
+        _args["ipapwdmaxrepeat"] = maxrepeat
+    if maxsequence is not None:
+        _args["ipapwdmaxsequence"] = maxsequence
+    if dictcheck is not None:
+        if module.ipa_check_version("<", "4.9.10"):
+            # Allowed values: "TRUE", "FALSE", ""
+            _args["ipapwddictcheck"] = "TRUE" if dictcheck is True else \
+                "FALSE" if dictcheck is False else dictcheck
+        else:
+            _args["ipapwddictcheck"] = dictcheck
+    if usercheck is not None:
+        if module.ipa_check_version("<", "4.9.10"):
+            # Allowed values: "TRUE", "FALSE", ""
+            _args["ipapwdusercheck"] = "TRUE" if usercheck is True else \
+                "FALSE" if usercheck is False else usercheck
+        else:
+            _args["ipapwdusercheck"] = usercheck
+    if gracelimit is not None:
+        _args["passwordgracelimit"] = gracelimit
 
     return _args
 
 
+def check_supported_params(
+    module, maxrepeat, maxsequence, dictcheck, usercheck, gracelimit
+):
+    # All password checking parameters were added by the same commit,
+    # so we only need to test one of them.
+    has_password_check = module.ipa_command_param_exists(
+        "pwpolicy_add", "ipapwdmaxrepeat")
+    # check if gracelimit is supported
+    has_gracelimit = module.ipa_command_param_exists(
+        "pwpolicy_add", "passwordgracelimit")
+
+    # If needed, report unsupported password checking paramteres
+    if (
+        not has_password_check
+        and any([maxrepeat, maxsequence, dictcheck, usercheck])
+    ):
+        module.fail_json(
+            msg="Your IPA version does not support arguments: "
+                "maxrepeat, maxsequence, dictcheck, usercheck.")
+
+    if not has_gracelimit and gracelimit is not None:
+        module.fail_json(
+            msg="Your IPA version does not support 'gracelimit'.")
+
+
 def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"], default=None,
-                      required=False),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      default=None, required=False),
             # present
 
-            maxlife=dict(type="int", aliases=["krbmaxpwdlife"], default=None),
-            minlife=dict(type="int", aliases=["krbminpwdlife"], default=None),
-            history=dict(type="int", aliases=["krbpwdhistorylength"],
+            maxlife=dict(type="str", aliases=["krbmaxpwdlife"], default=None),
+            minlife=dict(type="str", aliases=["krbminpwdlife"], default=None),
+            history=dict(type="str", aliases=["krbpwdhistorylength"],
                          default=None),
-            minclasses=dict(type="int", aliases=["krbpwdmindiffchars"],
+            minclasses=dict(type="str", aliases=["krbpwdmindiffchars"],
                             default=None),
-            minlength=dict(type="int", aliases=["krbpwdminlength"],
+            minlength=dict(type="str", aliases=["krbpwdminlength"],
                            default=None),
-            priority=dict(type="int", aliases=["cospriority"], default=None),
-            maxfail=dict(type="int", aliases=["krbpwdmaxfailure"],
+            priority=dict(type="str", aliases=["cospriority"], default=None),
+            maxfail=dict(type="str", aliases=["krbpwdmaxfailure"],
                          default=None),
-            failinterval=dict(type="int",
+            failinterval=dict(type="str",
                               aliases=["krbpwdfailurecountinterval"],
                               default=None),
-            lockouttime=dict(type="int", aliases=["krbpwdlockoutduration"],
+            lockouttime=dict(type="str", aliases=["krbpwdlockoutduration"],
                              default=None),
+            maxrepeat=dict(type="str", aliases=["ipapwdmaxrepeat"],
+                           default=None),
+            maxsequence=dict(type="str", aliases=["ipapwdmaxsequence"],
+                             default=None),
+            dictcheck=dict(type="str", aliases=["ipapwdictcheck"],
+                           default=None),
+            usercheck=dict(type="str", aliases=["ipapwdusercheck"],
+                           default=None),
+            gracelimit=dict(type="str", aliases=["passwordgracelimit"],
+                            default=None),
             # state
             state=dict(type="str", default="present",
                        choices=["present", "absent"]),
@@ -208,6 +301,11 @@ def main():
     maxfail = ansible_module.params_get("maxfail")
     failinterval = ansible_module.params_get("failinterval")
     lockouttime = ansible_module.params_get("lockouttime")
+    maxrepeat = ansible_module.params_get("maxrepeat")
+    maxsequence = ansible_module.params_get("maxsequence")
+    dictcheck = ansible_module.params_get("dictcheck")
+    usercheck = ansible_module.params_get("usercheck")
+    gracelimit = ansible_module.params_get("gracelimit")
 
     # state
     state = ansible_module.params_get("state")
@@ -231,10 +329,57 @@ def main():
                 msg="'global_policy' can not be made absent.")
         invalid = ["maxlife", "minlife", "history", "minclasses",
                    "minlength", "priority", "maxfail", "failinterval",
-                   "lockouttime"]
+                   "lockouttime", "maxrepeat", "maxsequence", "dictcheck",
+                   "usercheck", "gracelimit"]
 
     ansible_module.params_fail_used_invalid(invalid, state)
 
+    # Ensure parameter values are valid and have proper type.
+    def int_or_empty_param(value, param):
+        if value is not None and value != "":
+            try:
+                value = int(value)
+            except ValueError:
+                ansible_module.fail_json(
+                    msg="Invalid value '%s' for argument '%s'" % (value, param)
+                )
+        return value
+
+    maxlife = int_or_empty_param(maxlife, "maxlife")
+    minlife = int_or_empty_param(minlife, "minlife")
+    history = int_or_empty_param(history, "history")
+    minclasses = int_or_empty_param(minclasses, "minclasses")
+    minlength = int_or_empty_param(minlength, "minlength")
+    priority = int_or_empty_param(priority, "priority")
+    maxfail = int_or_empty_param(maxfail, "maxfail")
+    failinterval = int_or_empty_param(failinterval, "failinterval")
+    lockouttime = int_or_empty_param(lockouttime, "lockouttime")
+    maxrepeat = int_or_empty_param(maxrepeat, "maxrepeat")
+    maxsequence = int_or_empty_param(maxsequence, "maxsequence")
+    gracelimit = int_or_empty_param(gracelimit, "gracelimit")
+
+    def bool_or_empty_param(value, param):  # pylint: disable=R1710
+        # As of Ansible 2.14, values True, False, Yes an No, with variable
+        # capitalization are accepted by Ansible.
+        if not value:
+            return value
+        if value in ["TRUE", "True", "true", "YES", "Yes", "yes"]:
+            return True
+        if value in ["FALSE", "False", "false", "NO", "No", "no"]:
+            return False
+        ansible_module.fail_json(
+            msg="Invalid value '%s' for argument '%s'." % (value, param)
+        )
+
+    dictcheck = bool_or_empty_param(dictcheck, "dictcheck")
+    usercheck = bool_or_empty_param(usercheck, "usercheck")
+
+    # Ensure gracelimit has proper limit.
+    if gracelimit:
+        if gracelimit < -1:
+            ansible_module.fail_json(
+                msg="'gracelimit' must be no less than -1")
+
     # Init
 
     changed = False
@@ -242,6 +387,11 @@ def main():
 
     with ansible_module.ipa_connect():
 
+        check_supported_params(
+            ansible_module, maxrepeat, maxsequence, dictcheck, usercheck,
+            gracelimit
+        )
+
         commands = []
 
         for name in names:
@@ -251,9 +401,11 @@ def main():
             # Create command
             if state == "present":
                 # Generate args
-                args = gen_args(maxlife, minlife, history, minclasses,
+                args = gen_args(ansible_module,
+                                maxlife, minlife, history, minclasses,
                                 minlength, priority, maxfail, failinterval,
-                                lockouttime)
+                                lockouttime, maxrepeat, maxsequence, dictcheck,
+                                usercheck, gracelimit)
 
                 # Found the pwpolicy
                 if res_find is not None:

plugins/modules/iparole.py

@@ -3,8 +3,9 @@
 
 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -34,47 +35,71 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: iparole
-short description: Manage FreeIPA role
+short_description: Manage FreeIPA role
 description: Manage FreeIPA role
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
-  role:
+  name:
     description: The list of role name strings.
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
   description:
     description: A description for the role.
+    type: str
     required: false
   rename:
     description: Rename the role object.
+    type: str
     required: false
     aliases: ["new_name"]
+  privilege:
+    description: List of privileges
+    type: list
+    elements: str
+    required: false
   user:
     description: List of users.
+    type: list
+    elements: str
     required: false
   group:
     description: List of groups.
+    type: list
+    elements: str
     required: false
   host:
     description: List of hosts.
+    type: list
+    elements: str
     required: false
   hostgroup:
     description: List of hostgroups.
+    type: list
+    elements: str
     required: false
   service:
     description: List of services.
+    type: list
+    elements: str
     required: false
   action:
     description: Work on role or member level.
+    type: str
     choices: ["role", "member"]
     default: role
     required: false
   state:
     description: The state to ensure.
+    type: str
     choices: ["present", "absent", "renamed"]
     default: present
-    required: true
+    required: false
+author:
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -394,19 +419,25 @@ def create_module():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # generalgroups
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                       required=True),
             # present
             description=dict(required=False, type="str", default=None),
             rename=dict(required=False, type="str", default=None,
                         aliases=["new_name"]),
             # members
-            privilege=dict(required=False, type='list', default=None),
-            user=dict(required=False, type='list', default=None),
-            group=dict(required=False, type='list', default=None),
-            host=dict(required=False, type='list', default=None),
-            hostgroup=dict(required=False, type='list', default=None),
-            service=dict(required=False, type='list', default=None),
+            privilege=dict(required=False, type='list', elements="str",
+                           default=None),
+            user=dict(required=False, type='list', elements="str",
+                      default=None),
+            group=dict(required=False, type='list', elements="str",
+                       default=None),
+            host=dict(required=False, type='list', elements="str",
+                      default=None),
+            hostgroup=dict(required=False, type='list', elements="str",
+                           default=None),
+            service=dict(required=False, type='list', elements="str",
+                         default=None),
 
             # state
             action=dict(type="str", default="role",

plugins/modules/ipaselfservice.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2020 Red Hat
+# Copyright (C) 2020-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,33 +32,43 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaselfservice
-short description: Manage FreeIPA selfservices
+short_description: Manage FreeIPA selfservices
 description: Manage FreeIPA selfservices and selfservice attributes
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The list of selfservice name strings.
+    type: list
+    elements: str
     required: true
     aliases: ["aciname"]
   permission:
     description: Permissions to grant (read, write). Default is write.
+    type: list
+    elements: str
     required: false
     aliases: ["permissions"]
   attribute:
     description: Attribute list to which the selfservice applies
+    type: list
+    elements: str
     required: false
     aliases: ["attrs"]
   action:
     description: Work on selfservice or member level.
+    type: str
     choices: ["selfservice", "member"]
     default: selfservice
     required: false
   state:
     description: The state to ensure.
+    type: str
     choices: ["present", "absent"]
     default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -130,13 +140,13 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["aciname"], default=None,
+            name=dict(type="list", elements="str", aliases=["aciname"],
                       required=True),
             # present
-            permission=dict(required=False, type='list',
+            permission=dict(required=False, type='list', elements="str",
                             aliases=["permissions"], default=None),
-            attribute=dict(required=False, type='list', aliases=["attrs"],
-                           default=None),
+            attribute=dict(required=False, type='list', elements="str",
+                           aliases=["attrs"], default=None),
             action=dict(type="str", default="selfservice",
                         choices=["member", "selfservice"]),
             # state

plugins/modules/ipaserver.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2021 Red Hat
+# Copyright (C) 2021-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,13 +32,15 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaserver
-short description: Manage FreeIPA server
+short_description: Manage FreeIPA server
 description: Manage FreeIPA server
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The list of server name strings.
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
   location:
@@ -46,6 +48,7 @@ options:
       The server location string.
       "" for location reset.
       Only in state: present.
+    type: str
     required: false
     aliases: ["ipalocation_location"]
   service_weight:
@@ -96,9 +99,12 @@ options:
     type: bool
   state:
     description: The state to ensure.
+    type: str
     choices: ["present", "absent"]
     default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -244,8 +250,8 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"],
-                      default=None, required=True),
+            name=dict(type="list", elements="str", aliases=["cn"],
+                      required=True),
             # present
             location=dict(required=False, type='str',
                           aliases=["ipalocation_location"], default=None),

plugins/modules/ipaservice.py

@@ -1,9 +1,11 @@
 # -*- coding: utf-8 -*-
 
 # Authors:
+#   Denis Karpelevich <dkarpele@redhat.com>
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,28 +35,155 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaservice
-short description: Manage FreeIPA service
+short_description: Manage FreeIPA service
 description: Manage FreeIPA service
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The service to manage
+    type: list
+    elements: str
     required: true
     aliases: ["service"]
+  services:
+    description: The list of service dicts.
+    type: list
+    elements: dict
+    suboptions:
+      name:
+        description: The service to manage
+        type: str
+        required: true
+        aliases: ["service"]
+      certificate:
+        description: Base-64 encoded service certificate.
+        required: false
+        type: list
+        elements: str
+        aliases: ["usercertificate"]
+      pac_type:
+        description: Supported PAC type.
+        required: false
+        choices: ["MS-PAC", "PAD", "NONE", ""]
+        type: list
+        elements: str
+        aliases: ["pac_type", "ipakrbauthzdata"]
+      auth_ind:
+        description: Defines an allow list for Authentication Indicators.
+        type: list
+        elements: str
+        required: false
+        choices: ["otp", "radius", "pkinit", "hardened", ""]
+        aliases: ["krbprincipalauthind"]
+      skip_host_check:
+        description: Skip checking if host object exists.
+        required: False
+        type: bool
+      force:
+        description: Force principal name even if host is not in DNS.
+        required: False
+        type: bool
+      requires_pre_auth:
+        description: Pre-authentication is required for the service.
+        required: false
+        type: bool
+        aliases: ["ipakrbrequirespreauth"]
+      ok_as_delegate:
+        description: Client credentials may be delegated to the service.
+        required: false
+        type: bool
+        aliases: ["ipakrbokasdelegate"]
+      ok_to_auth_as_delegate:
+        description: Allow service to authenticate on behalf of a client.
+        required: false
+        type: bool
+        aliases: ["ipakrboktoauthasdelegate"]
+      principal:
+        description: List of principal aliases for the service.
+        required: false
+        type: list
+        elements: str
+        aliases: ["krbprincipalname"]
+      smb:
+        description: Add a SMB service.
+        required: false
+        type: bool
+      netbiosname:
+        description: NETBIOS name for the SMB service.
+        required: false
+        type: str
+      host:
+        description: Host that can manage the service.
+        required: false
+        type: list
+        elements: str
+        aliases: ["managedby_host"]
+      allow_create_keytab_user:
+        description: Users allowed to create a keytab of this host.
+        required: false
+        type: list
+        elements: str
+        aliases: ["ipaallowedtoperform_write_keys_user"]
+      allow_create_keytab_group:
+        description: Groups allowed to create a keytab of this host.
+        required: false
+        type: list
+        elements: str
+        aliases: ["ipaallowedtoperform_write_keys_group"]
+      allow_create_keytab_host:
+        description: Hosts allowed to create a keytab of this host.
+        required: false
+        type: list
+        elements: str
+        aliases: ["ipaallowedtoperform_write_keys_host"]
+      allow_create_keytab_hostgroup:
+        description: Host group allowed to create a keytab of this host.
+        required: false
+        type: list
+        elements: str
+        aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
+      allow_retrieve_keytab_user:
+        description: User allowed to retrieve a keytab of this host.
+        required: false
+        type: list
+        elements: str
+        aliases: ["ipaallowedtoperform_read_keys_user"]
+      allow_retrieve_keytab_group:
+        description: Groups allowed to retrieve a keytab of this host.
+        required: false
+        type: list
+        elements: str
+        aliases: ["ipaallowedtoperform_read_keys_group"]
+      allow_retrieve_keytab_host:
+        description: Hosts allowed to retrieve a keytab of this host.
+        required: false
+        type: list
+        elements: str
+        aliases: ["ipaallowedtoperform_read_keys_host"]
+      allow_retrieve_keytab_hostgroup:
+        description: Host groups allowed to retrieve a keytab of this host.
+        required: false
+        type: list
+        elements: str
+        aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
   certificate:
     description: Base-64 encoded service certificate.
     required: false
     type: list
+    elements: str
     aliases: ["usercertificate"]
   pac_type:
     description: Supported PAC type.
     required: false
     choices: ["MS-PAC", "PAD", "NONE", ""]
     type: list
+    elements: str
     aliases: ["pac_type", "ipakrbauthzdata"]
   auth_ind:
-    description: Defines a whitelist for Authentication Indicators.
+    description: Defines an allow list for Authentication Indicators.
+    type: list
+    elements: str
     required: false
     choices: ["otp", "radius", "pkinit", "hardened", ""]
     aliases: ["krbprincipalauthind"]
@@ -70,24 +199,22 @@ options:
     description: Pre-authentication is required for the service.
     required: false
     type: bool
-    default: False
     aliases: ["ipakrbrequirespreauth"]
   ok_as_delegate:
     description: Client credentials may be delegated to the service.
     required: false
     type: bool
-    default: False
     aliases: ["ipakrbokasdelegate"]
   ok_to_auth_as_delegate:
     description: Allow service to authenticate on behalf of a client.
     required: false
     type: bool
-    default: False
     aliases: ["ipakrboktoauthasdelegate"]
   principal:
     description: List of principal aliases for the service.
     required: false
     type: list
+    elements: str
     aliases: ["krbprincipalname"]
   smb:
     description: Add a SMB service.
@@ -101,63 +228,75 @@ options:
     description: Host that can manage the service.
     required: false
     type: list
+    elements: str
     aliases: ["managedby_host"]
   allow_create_keytab_user:
     description: Users allowed to create a keytab of this host.
     required: false
     type: list
+    elements: str
     aliases: ["ipaallowedtoperform_write_keys_user"]
   allow_create_keytab_group:
     description: Groups allowed to create a keytab of this host.
     required: false
     type: list
+    elements: str
     aliases: ["ipaallowedtoperform_write_keys_group"]
   allow_create_keytab_host:
     description: Hosts allowed to create a keytab of this host.
     required: false
     type: list
+    elements: str
     aliases: ["ipaallowedtoperform_write_keys_host"]
   allow_create_keytab_hostgroup:
     description: Host group allowed to create a keytab of this host.
     required: false
     type: list
+    elements: str
     aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
   allow_retrieve_keytab_user:
     description: User allowed to retrieve a keytab of this host.
     required: false
     type: list
+    elements: str
     aliases: ["ipaallowedtoperform_read_keys_user"]
   allow_retrieve_keytab_group:
     description: Groups allowed to retrieve a keytab of this host.
     required: false
     type: list
+    elements: str
     aliases: ["ipaallowedtoperform_read_keys_group"]
   allow_retrieve_keytab_host:
     description: Hosts allowed to retrieve a keytab of this host.
     required: false
     type: list
+    elements: str
     aliases: ["ipaallowedtoperform_read_keys_host"]
   allow_retrieve_keytab_hostgroup:
     description: Host groups allowed to retrieve a keytab of this host.
     required: false
     type: list
+    elements: str
     aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
-  continue:
+  delete_continue:
     description:
       Continuous mode. Don't stop on errors. Valid only if `state` is `absent`.
     required: false
-    default: True
     type: bool
+    aliases: ["continue"]
   action:
     description: Work on service or member level
+    type: str
     default: service
     choices: ["member", "service"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent", "disabled"]
 author:
-    - Rafael Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -222,6 +361,15 @@ EXAMPLES = """
       - host1.example.com
       - host2.example.com
       action: member
+
+  # Ensure multiple services are present.
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      services:
+      - name: HTTP/www.example.com
+        host:
+        - host1.example.com
+      - name: HTTP/www.service.com
 """
 
 RETURN = """
@@ -231,6 +379,9 @@ from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, encode_certificate, \
     gen_add_del_lists, gen_add_list, gen_intersection_list, ipalib_errors, \
     api_get_realm, to_text
+from ansible.module_utils import six
+if six.PY3:
+    unicode = str
 
 
 def find_service(module, name):
@@ -304,8 +455,9 @@ def check_parameters(module, state, action, names):
          'allow_retrieve_keytab_hostgroup']
 
     if state == 'present':
-        if len(names) != 1:
-            module.fail_json(msg="Only one service can be added at a time.")
+        if names is not None and len(names) != 1:
+            module.fail_json(msg="Only one service can be added at a time "
+                                 "using 'name'.")
 
         if action == 'service':
             invalid = ['delete_continue']
@@ -321,9 +473,6 @@ def check_parameters(module, state, action, names):
             invalid.append('delete_continue')
 
     elif state == 'absent':
-        if len(names) < 1:
-            module.fail_json(msg="No name given.")
-
         if action == "service":
             invalid.extend(invalid_not_member)
         else:
@@ -343,64 +492,85 @@ def check_parameters(module, state, action, names):
 
 
 def init_ansible_module():
+    service_spec = dict(
+        # service attributesstr
+        certificate=dict(type="list", elements="str",
+                         aliases=['usercertificate'],
+                         default=None, required=False),
+        principal=dict(type="list", elements="str",
+                       aliases=["krbprincipalname"], default=None),
+        smb=dict(type="bool", required=False),
+        netbiosname=dict(type="str", required=False),
+        pac_type=dict(type="list", elements="str",
+                      aliases=["ipakrbauthzdata"],
+                      choices=["MS-PAC", "PAD", "NONE", ""]),
+        auth_ind=dict(type="list", elements="str",
+                      aliases=["krbprincipalauthind"],
+                      choices=["otp", "radius", "pkinit", "hardened", ""]),
+        skip_host_check=dict(type="bool"),
+        force=dict(type="bool"),
+        requires_pre_auth=dict(
+            type="bool", aliases=["ipakrbrequirespreauth"]),
+        ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"]),
+        ok_to_auth_as_delegate=dict(type="bool",
+                                    aliases=["ipakrboktoauthasdelegate"]),
+        host=dict(type="list", elements="str", aliases=["managedby_host"],
+                  required=False),
+        allow_create_keytab_user=dict(
+            type="list", elements="str", required=False, no_log=False,
+            aliases=['ipaallowedtoperform_write_keys_user']),
+        allow_retrieve_keytab_user=dict(
+            type="list", elements="str", required=False, no_log=False,
+            aliases=['ipaallowedtoperform_read_keys_user']),
+        allow_create_keytab_group=dict(
+            type="list", elements="str", required=False, no_log=False,
+            aliases=['ipaallowedtoperform_write_keys_group']),
+        allow_retrieve_keytab_group=dict(
+            type="list", elements="str", required=False, no_log=False,
+            aliases=['ipaallowedtoperform_read_keys_group']),
+        allow_create_keytab_host=dict(
+            type="list", elements="str", required=False, no_log=False,
+            aliases=['ipaallowedtoperform_write_keys_host']),
+        allow_retrieve_keytab_host=dict(
+            type="list", elements="str", required=False, no_log=False,
+            aliases=['ipaallowedtoperform_read_keys_host']),
+        allow_create_keytab_hostgroup=dict(
+            type="list", elements="str", required=False, no_log=False,
+            aliases=['ipaallowedtoperform_write_keys_hostgroup']),
+        allow_retrieve_keytab_hostgroup=dict(
+            type="list", elements="str", required=False, no_log=False,
+            aliases=['ipaallowedtoperform_read_keys_hostgroup']),
+        delete_continue=dict(type="bool", required=False,
+                             aliases=['continue']),
+    )
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["service"], default=None,
-                      required=True),
-            # service attributesstr
-            certificate=dict(type="list", aliases=['usercertificate'],
-                             default=None, required=False),
-            principal=dict(type="list", aliases=["krbprincipalname"],
-                           default=None),
-            smb=dict(type="bool", required=False),
-            netbiosname=dict(type="str", required=False),
-            pac_type=dict(type="list", aliases=["ipakrbauthzdata"],
-                          choices=["MS-PAC", "PAD", "NONE", ""]),
-            auth_ind=dict(type="list",
-                          aliases=["krbprincipalauthind"],
-                          choices=["otp", "radius", "pkinit", "hardened", ""]),
-            skip_host_check=dict(type="bool"),
-            force=dict(type="bool"),
-            requires_pre_auth=dict(
-                type="bool", aliases=["ipakrbrequirespreauth"]),
-            ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"]),
-            ok_to_auth_as_delegate=dict(type="bool",
-                                        aliases=["ipakrboktoauthasdelegate"]),
-            host=dict(type="list", aliases=["managedby_host"], required=False),
-            allow_create_keytab_user=dict(
-                type="list", required=False,
-                aliases=['ipaallowedtoperform_write_keys_user']),
-            allow_retrieve_keytab_user=dict(
-                type="list", required=False,
-                aliases=['ipaallowedtoperform_read_keys_user']),
-            allow_create_keytab_group=dict(
-                type="list", required=False,
-                aliases=['ipaallowedtoperform_write_keys_group']),
-            allow_retrieve_keytab_group=dict(
-                type="list", required=False,
-                aliases=['ipaallowedtoperform_read_keys_group']),
-            allow_create_keytab_host=dict(
-                type="list", required=False,
-                aliases=['ipaallowedtoperform_write_keys_host']),
-            allow_retrieve_keytab_host=dict(
-                type="list", required=False,
-                aliases=['ipaallowedtoperform_read_keys_host']),
-            allow_create_keytab_hostgroup=dict(
-                type="list", required=False,
-                aliases=['ipaallowedtoperform_write_keys_hostgroup']),
-            allow_retrieve_keytab_hostgroup=dict(
-                type="list", required=False,
-                aliases=['ipaallowedtoperform_read_keys_hostgroup']),
-            delete_continue=dict(type="bool", required=False,
-                                 aliases=['continue']),
+            name=dict(type="list", elements="str", aliases=["service"],
+                      default=None, required=False),
+            services=dict(type="list",
+                          default=None,
+                          options=dict(
+                              # Here name is a simple string
+                              name=dict(type="str", required=True,
+                                        aliases=["service"]),
+                              # Add service specific parameters
+                              **service_spec
+                          ),
+                          elements='dict',
+                          required=False),
             # action
             action=dict(type="str", default="service",
                         choices=["member", "service"]),
             # state
             state=dict(type="str", default="present",
                        choices=["present", "absent", "disabled"]),
+
+            # Add service specific parameters for simple use case
+            **service_spec
         ),
+        mutually_exclusive=[["name", "services"]],
+        required_one_of=[["name", "services"]],
         supports_check_mode=True,
     )
 
@@ -416,10 +586,17 @@ def main():
 
     # general
     names = ansible_module.params_get("name")
+    services = ansible_module.params_get("services")
 
     # service attributes
     principal = ansible_module.params_get("principal")
     certificate = ansible_module.params_get("certificate")
+    # Any leading or trailing whitespace is removed while adding the
+    # certificate with serive_add_cert. To be able to compare the results
+    # from service_show with the given certificates we have to remove the
+    # white space also.
+    if certificate is not None:
+        certificate = [cert.strip() for cert in certificate]
     pac_type = ansible_module.params_get("pac_type", allow_empty_string=True)
     auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True)
     skip_host_check = ansible_module.params_get("skip_host_check")
@@ -442,8 +619,16 @@ def main():
     state = ansible_module.params_get("state")
 
     # check parameters
+    if (names is None or len(names) < 1) and \
+       (services is None or len(services) < 1):
+        ansible_module.fail_json(msg="At least one name or services is "
+                                     "required")
     check_parameters(ansible_module, state, action, names)
 
+    # Use services if names is None
+    if services is not None:
+        names = services
+
     # Init
 
     changed = False
@@ -460,8 +645,45 @@ def main():
 
         commands = []
         keytab_members = ["user", "group", "host", "hostgroup"]
+        service_set = set()
 
-        for name in names:
+        for service in names:
+            if isinstance(service, dict):
+                name = service.get("name")
+                if name in service_set:
+                    ansible_module.fail_json(
+                        msg="service '%s' is used more than once" % name)
+                service_set.add(name)
+                principal = service.get("principal")
+                certificate = service.get("certificate")
+                # Any leading or trailing whitespace is removed while adding
+                # the certificate with serive_add_cert. To be able to compare
+                # the results from service_show with the given certificates
+                # we have to remove the white space also.
+                if certificate is not None:
+                    certificate = [cert.strip() for cert in certificate]
+                pac_type = service.get("pac_type")
+                auth_ind = service.get("auth_ind")
+                skip_host_check = service.get("skip_host_check")
+                if skip_host_check and not has_skip_host_check:
+                    ansible_module.fail_json(
+                        msg="Skipping host check is not supported by your IPA "
+                            "version")
+                force = service.get("force")
+                requires_pre_auth = service.get("requires_pre_auth")
+                ok_as_delegate = service.get("ok_as_delegate")
+                ok_to_auth_as_delegate = service.get("ok_to_auth_as_delegate")
+                smb = service.get("smb")
+                netbiosname = service.get("netbiosname")
+                host = service.get("host")
+
+                delete_continue = service.get("delete_continue")
+
+            elif isinstance(service, (str, unicode)):
+                name = service
+            else:
+                ansible_module.fail_json(msg="Service '%s' is not valid" %
+                                         repr(service))
             res_find = find_service(ansible_module, name)
             res_principals = []
 

plugins/modules/ipaservicedelegationrule.py

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaservicedelegationrule
-short description: Manage FreeIPA servicedelegationrule
+short_description: Manage FreeIPA servicedelegationrule
 description: |
   Manage FreeIPA servicedelegationrule and servicedelegationrule members
 extends_documentation_fragment:
@@ -40,6 +40,8 @@ extends_documentation_fragment:
 options:
   name:
     description: The list of servicedelegationrule name strings.
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
   principal:
@@ -49,22 +51,30 @@ options:
       host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM
       are host principals and the same as host/fqdn and host/fqd
       Host princpals are only usable with IPA versions 4.9.0 and up.
+    type: list
+    elements: str
     required: false
   target:
     description: |
       The list of service delegation targets.
+    type: list
+    elements: str
     required: false
     aliases: ["servicedelegationtarget"]
   action:
     description: Work on servicedelegationrule or member level.
+    type: str
     choices: ["servicedelegationrule", "member"]
     default: servicedelegationrule
     required: false
   state:
     description: The state to ensure.
+    type: str
     choices: ["present", "absent"]
     default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -161,11 +171,12 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                       required=True),
             # present
-            principal=dict(required=False, type='list', default=None),
-            target=dict(required=False, type='list',
+            principal=dict(required=False, type='list', elements="str",
+                           default=None),
+            target=dict(required=False, type='list', elements="str",
                         aliases=["servicedelegationtarget"], default=None),
 
             action=dict(type="str", default="servicedelegationrule",

plugins/modules/ipaservicedelegationtarget.py

@@ -32,7 +32,7 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipaservicedelegationtarget
-short description: Manage FreeIPA servicedelegationtarget
+short_description: Manage FreeIPA servicedelegationtarget
 description: |
   Manage FreeIPA servicedelegationtarget and servicedelegationtarget members
 extends_documentation_fragment:
@@ -40,6 +40,8 @@ extends_documentation_fragment:
 options:
   name:
     description: The list of servicedelegationtarget name strings.
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
   principal:
@@ -49,17 +51,23 @@ options:
       host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM
       are host principals and the same as host/fqdn and host/fqdn@REALM.
       Host princpals are only usable with IPA versions 4.9.0 and up.
+    type: list
+    elements: str
     required: false
   action:
     description: Work on servicedelegationtarget or member level.
+    type: str
     choices: ["servicedelegationtarget", "member"]
     default: servicedelegationtarget
     required: false
   state:
     description: The state to ensure.
+    type: str
     choices: ["present", "absent"]
     default: present
-    required: true
+    required: false
+author:
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -121,10 +129,11 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                       required=True),
             # present
-            principal=dict(required=False, type='list', default=None),
+            principal=dict(required=False, type='list', elements="str",
+                           default=None),
 
             action=dict(type="str", default="servicedelegationtarget",
                         choices=["member", "servicedelegationtarget"]),

plugins/modules/ipasudocmd.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,24 +34,29 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipasudocmd
-short description: Manage FreeIPA sudo command
+short_description: Manage FreeIPA sudo command
 description: Manage FreeIPA sudo command
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The sudo command
+    type: list
+    elements: str
     required: true
     aliases: ["sudocmd"]
   description:
     description: The command description
+    type: str
     required: false
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent"]
 author:
-    - Rafael Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -103,7 +109,7 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["sudocmd"], default=None,
+            name=dict(type="list", elements="str", aliases=["sudocmd"],
                       required=True),
             # present
             description=dict(type="str", default=None),

plugins/modules/ipasudocmdgroup.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,17 +34,20 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipasudocmdgroup
-short description: Manage FreeIPA sudocmd groups
+short_description: Manage FreeIPA sudocmd groups
 description: Manage FreeIPA sudocmd groups
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The sudocmodgroup name
-    required: false
+    type: list
+    elements: str
+    required: true
     aliases: ["cn"]
   description:
     description: The sudocmdgroup description
+    type: str
     required: false
   nomembers:
     description: Suppress processing of membership attributes
@@ -53,16 +57,20 @@ options:
     description: List of sudocmds assigned to this sudocmdgroup.
     required: false
     type: list
+    elements: str
   action:
     description: Work on sudocmdgroup or member level
-    default: hostgroup
+    type: str
+    default: sudocmdgroup
     choices: ["member", "sudocmdgroup"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent"]
 author:
-    - Rafael Guterres Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -140,12 +148,13 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                       required=True),
             # present
             description=dict(type="str", default=None),
             nomembers=dict(required=False, type='bool', default=None),
-            sudocmd=dict(required=False, type='list', default=None),
+            sudocmd=dict(required=False, type='list', elements="str",
+                         default=None),
             action=dict(type="str", default="sudocmdgroup",
                         choices=["member", "sudocmdgroup"]),
             # state

plugins/modules/ipasudorule.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,36 +33,46 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipasudorule
-short description: Manage FreeIPA sudo rules
+short_description: Manage FreeIPA sudo rules
 description: Manage FreeIPA sudo rules
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The sudorule name
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
   description:
     description: The sudorule description
+    type: str
     required: false
   user:
     description: List of users assigned to the sudo rule.
+    type: list
+    elements: str
     required: false
   usercategory:
     description: User category the sudo rule applies to
+    type: str
     required: false
     choices: ["all", ""]
     aliases: ["usercat"]
   group:
     description: List of user groups assigned to the sudo rule.
+    type: list
+    elements: str
     required: false
   runasgroupcategory:
     description: RunAs Group category applied to the sudo rule.
+    type: str
     required: false
     choices: ["all", ""]
     aliases: ["runasgroupcat"]
   runasusercategory:
     description: RunAs User category applied to the sudorule.
+    type: str
     required: false
     choices: ["all", ""]
     aliases: ["runasusercat"]
@@ -73,12 +84,15 @@ options:
     description: List of host names assigned to this sudorule.
     required: false
     type: list
+    elements: str
   hostgroup:
     description: List of host groups assigned to this sudorule.
     required: false
     type: list
+    elements: str
   hostcategory:
     description: Host category the sudo rule applies to.
+    type: str
     required: false
     choices: ["all", ""]
     aliases: ["hostcat"]
@@ -86,20 +100,25 @@ options:
     description: List of allowed sudocmds assigned to this sudorule.
     required: false
     type: list
+    elements: str
   allow_sudocmdgroup:
     description: List of allowed sudocmd groups assigned to this sudorule.
     required: false
     type: list
+    elements: str
   deny_sudocmd:
     description: List of denied sudocmds assigned to this sudorule.
     required: false
     type: list
+    elements: str
   deny_sudocmdgroup:
     description: List of denied sudocmd groups assigned to this sudorule.
     required: false
     type: list
+    elements: str
   cmdcategory:
     description: Command category the sudo rule applies to
+    type: str
     required: false
     choices: ["all", ""]
     aliases: ["cmdcat"]
@@ -107,29 +126,41 @@ options:
     description: Order to apply this rule.
     required: false
     type: int
+    aliases: ["sudoorder"]
   sudooption:
     description: List of sudo options.
     required: false
     type: list
+    elements: str
     aliases: ["options"]
   runasuser:
     description: List of users for Sudo to execute as.
     required: false
     type: list
+    elements: str
   runasgroup:
     description: List of groups for Sudo to execute as.
     required: false
     type: list
+    elements: str
+  hostmask:
+    description: Host masks of allowed hosts.
+    required: false
+    type: list
+    elements: str
   action:
     description: Work on sudorule or member level
+    type: str
     default: sudorule
     choices: ["member", "sudorule"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent", "enabled", "disabled"]
 author:
-    - Rafael Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -162,19 +193,28 @@ EXAMPLES = """
     hostgroup: cluster
     action: member
 
-# Ensure sudo rule for usercategory "all"
+# Ensure sudo rule for usercategory "all" is enabled
 - ipasudorule:
     ipaadmin_password: SomeADMINpassword
     name: allusers
     usercategory: all
-    action: enabled
+    state: enabled
 
-# Ensure sudo rule for hostcategory "all"
+# Ensure sudo rule for hostcategory "all" is enabled
 - ipasudorule:
     ipaadmin_password: SomeADMINpassword
     name: allhosts
     hostcategory: all
-    action: enabled
+    state: enabled
+
+# Ensure sudo rule applies for hosts with hostmasks
+- ipasudorule:
+    ipaadmin_password: SomeADMINpassword
+    name: testrule1
+    hostmask:
+    - 192.168.122.1/24
+    - 192.168.120.1/24
+    action: member
 
 # Ensure Sudo Rule tesrule1 is absent
 - ipasudorule:
@@ -188,7 +228,7 @@ RETURN = """
 
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \
-    gen_intersection_list, api_get_domain, ensure_fqdn
+    gen_intersection_list, api_get_domain, ensure_fqdn, netaddr, to_text
 
 
 def find_sudorule(module, name):
@@ -236,7 +276,7 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                       required=True),
             # present
             description=dict(required=False, type="str", default=None),
@@ -245,14 +285,24 @@ def main():
             hostcategory=dict(required=False, type="str", default=None,
                               choices=["all", ""], aliases=['hostcat']),
             nomembers=dict(required=False, type='bool', default=None),
-            host=dict(required=False, type='list', default=None),
-            hostgroup=dict(required=False, type='list', default=None),
-            user=dict(required=False, type='list', default=None),
-            group=dict(required=False, type='list', default=None),
-            allow_sudocmd=dict(required=False, type="list", default=None),
-            deny_sudocmd=dict(required=False, type="list", default=None),
-            allow_sudocmdgroup=dict(required=False, type="list", default=None),
-            deny_sudocmdgroup=dict(required=False, type="list", default=None),
+            host=dict(required=False, type='list', elements="str",
+                      default=None),
+            hostgroup=dict(required=False, type='list', elements="str",
+                           default=None),
+            hostmask=dict(required=False, type='list', elements="str",
+                          default=None),
+            user=dict(required=False, type='list', elements="str",
+                      default=None),
+            group=dict(required=False, type='list', elements="str",
+                       default=None),
+            allow_sudocmd=dict(required=False, type="list", elements="str",
+                               default=None),
+            deny_sudocmd=dict(required=False, type="list", elements="str",
+                              default=None),
+            allow_sudocmdgroup=dict(required=False, type="list",
+                                    elements="str", default=None),
+            deny_sudocmdgroup=dict(required=False, type="list", elements="str",
+                                   default=None),
             cmdcategory=dict(required=False, type="str", default=None,
                              choices=["all", ""], aliases=['cmdcat']),
             runasusercategory=dict(required=False, type="str", default=None,
@@ -261,11 +311,13 @@ def main():
             runasgroupcategory=dict(required=False, type="str", default=None,
                                     choices=["all", ""],
                                     aliases=['runasgroupcat']),
-            runasuser=dict(required=False, type="list", default=None),
-            runasgroup=dict(required=False, type="list", default=None),
+            runasuser=dict(required=False, type="list", elements="str",
+                           default=None),
+            runasgroup=dict(required=False, type="list", elements="str",
+                            default=None),
             order=dict(type="int", required=False, aliases=['sudoorder']),
-            sudooption=dict(required=False, type='list', default=None,
-                            aliases=["options"]),
+            sudooption=dict(required=False, type='list', elements="str",
+                            default=None, aliases=["options"]),
             action=dict(type="str", default="sudorule",
                         choices=["member", "sudorule"]),
             # state
@@ -298,6 +350,7 @@ def main():
     nomembers = ansible_module.params_get("nomembers")  # noqa
     host = ansible_module.params_get("host")
     hostgroup = ansible_module.params_get_lowercase("hostgroup")
+    hostmask = ansible_module.params_get("hostmask")
     user = ansible_module.params_get_lowercase("user")
     group = ansible_module.params_get_lowercase("group")
     allow_sudocmd = ansible_module.params_get('allow_sudocmd')
@@ -315,6 +368,10 @@ def main():
     # state
     state = ansible_module.params_get("state")
 
+    # ensure hostmasks are network cidr
+    if hostmask is not None:
+        hostmask = [to_text(netaddr.IPNetwork(x).cidr) for x in hostmask]
+
     # Check parameters
     invalid = []
 
@@ -346,7 +403,7 @@ def main():
                    "cmdcategory", "runasusercategory",
                    "runasgroupcategory", "nomembers", "order"]
         if action == "sudorule":
-            invalid.extend(["host", "hostgroup", "user", "group",
+            invalid.extend(["host", "hostgroup", "hostmask", "user", "group",
                             "runasuser", "runasgroup", "allow_sudocmd",
                             "allow_sudocmdgroup", "deny_sudocmd",
                             "deny_sudocmdgroup", "sudooption"])
@@ -360,7 +417,7 @@ def main():
                 "disabled")
         invalid = ["description", "usercategory", "hostcategory",
                    "cmdcategory", "runasusercategory", "runasgroupcategory",
-                   "nomembers", "nomembers", "host", "hostgroup",
+                   "nomembers", "nomembers", "host", "hostgroup", "hostmask",
                    "user", "group", "allow_sudocmd", "allow_sudocmdgroup",
                    "deny_sudocmd", "deny_sudocmdgroup", "runasuser",
                    "runasgroup", "order", "sudooption"]
@@ -389,6 +446,7 @@ def main():
         user_add, user_del = [], []
         group_add, group_del = [], []
         hostgroup_add, hostgroup_del = [], []
+        hostmask_add, hostmask_del = [], []
         allow_cmd_add, allow_cmd_del = [], []
         allow_cmdgroup_add, allow_cmdgroup_del = [], []
         deny_cmd_add, deny_cmd_del = [], []
@@ -454,6 +512,9 @@ def main():
                     hostgroup_add, hostgroup_del = gen_add_del_lists(
                         hostgroup, res_find.get('memberhost_hostgroup', []))
 
+                    hostmask_add, hostmask_del = gen_add_del_lists(
+                        hostmask, res_find.get('hostmask', []))
+
                     user_add, user_del = gen_add_del_lists(
                         user, res_find.get('memberuser_user', []))
 
@@ -520,6 +581,9 @@ def main():
                     if hostgroup is not None:
                         hostgroup_add = gen_add_list(
                             hostgroup, res_find.get("memberhost_hostgroup"))
+                    if hostmask is not None:
+                        hostmask_add = gen_add_list(
+                            hostmask, res_find.get("hostmask"))
                     if user is not None:
                         user_add = gen_add_list(
                             user, res_find.get("memberuser_user"))
@@ -592,6 +656,10 @@ def main():
                         hostgroup_del = gen_intersection_list(
                             hostgroup, res_find.get("memberhost_hostgroup"))
 
+                    if hostmask is not None:
+                        hostmask_del = gen_intersection_list(
+                            hostmask, res_find.get("hostmask"))
+
                     if user is not None:
                         user_del = gen_intersection_list(
                             user, res_find.get("memberuser_user"))
@@ -683,18 +751,19 @@ def main():
 
             # Manage members.
             # Manage hosts and hostgroups
-            if host_add or hostgroup_add:
-                commands.append([name, "sudorule_add_host",
-                                 {
-                                     "host": host_add,
-                                     "hostgroup": hostgroup_add,
-                                 }])
-            if host_del or hostgroup_del:
-                commands.append([name, "sudorule_remove_host",
-                                 {
-                                     "host": host_del,
-                                     "hostgroup": hostgroup_del,
-                                 }])
+            if any([host_add, hostgroup_add, hostmask_add]):
+                params = {"host": host_add, "hostgroup": hostgroup_add}
+                # An empty Hostmask cannot be used, or IPA API will fail.
+                if hostmask_add:
+                    params["hostmask"] = hostmask_add
+                commands.append([name, "sudorule_add_host", params])
+
+            if any([host_del, hostgroup_del, hostmask_del]):
+                params = {"host": host_del, "hostgroup": hostgroup_del}
+                # An empty Hostmask cannot be used, or IPA API will fail.
+                if hostmask_del:
+                    params["hostmask"] = hostmask_del
+                commands.append([name, "sudorule_remove_host", params])
 
             # Manage users and groups
             if user_add or group_add:

plugins/modules/ipatopologysegment.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,36 +32,44 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipatopologysegment
-short description: Manage FreeIPA topology segments
+short_description: Manage FreeIPA topology segments
 description: Manage FreeIPA topology segments
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   suffix:
     description: Topology suffix
+    type: str
     required: true
     choices: ["domain", "ca", "domain+ca"]
   name:
     description: Topology segment name, unique identifier.
+    type: str
     required: false
     aliases: ["cn"]
   left:
     description: Left replication node - an IPA server
+    type: str
+    required: false
     aliases: ["leftnode"]
   right:
     description: Right replication node - an IPA server
+    type: str
+    required: false
     aliases: ["rightnode"]
   direction:
     description: The direction a segment will be reinitialized
+    type: str
     required: false
     choices: ["left-to-right", "right-to-left"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent", "enabled", "disabled", "reinitialized",
               "checked" ]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -178,7 +186,8 @@ def find_left_right_cn(module, suffix, left, right, name):
 def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
-            suffix=dict(choices=["domain", "ca", "domain+ca"], required=True),
+            suffix=dict(type="str", choices=["domain", "ca", "domain+ca"],
+                        required=True),
             name=dict(type="str", aliases=["cn"], default=None),
             left=dict(type="str", aliases=["leftnode"], default=None),
             right=dict(type="str", aliases=["rightnode"], default=None),

plugins/modules/ipatopologysuffix.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,21 +32,23 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipatopologysuffix
-short description: Verify FreeIPA topology suffix
+short_description: Verify FreeIPA topology suffix
 description: Verify FreeIPA topology suffix
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   suffix:
     description: Topology suffix
+    type: str
     required: true
     choices: ["domain", "ca"]
   state:
     description: State to ensure
+    type: str
     default: verified
     choices: ["verified"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -65,7 +67,7 @@ from ansible.module_utils.ansible_freeipa_module import IPAAnsibleModule
 def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
-            suffix=dict(choices=["domain", "ca"], required=True),
+            suffix=dict(type="str", choices=["domain", "ca"], required=True),
             state=dict(type="str", default="verified",
                        choices=["verified"]),
         ),

plugins/modules/ipatrust.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Rob Verduijn <rob.verduijn@gmail.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 By Rob Verduijn
+# Copyright (C) 2019-2022 By Rob Verduijn
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -39,62 +40,75 @@ options:
   realm:
     description:
     - Realm name
+    type: str
     required: true
   trust_type:
     description:
     - Trust type (ad for Active Directory, default)
+    type: str
     default: ad
     required: false
     choices: ["ad"]
   admin:
     description:
     - Active Directory domain administrator
+    type: str
     required: false
   password:
     description:
     - Active Directory domain administrator's password
+    type: str
     required: false
   server:
     description:
     - Domain controller for the Active Directory domain (optional)
+    type: str
     required: false
   trust_secret:
     description:
     - Shared secret for the trust
+    type: str
     required: false
   base_id:
     description:
     - First Posix ID of the range reserved for the trusted domain
+    type: int
     required: false
   range_size:
     description:
     - Size of the ID range reserved for the trusted domain
+    type: int
+    default: 200000
   range_type:
     description:
     - Type of trusted domain ID range, one of ipa-ad-trust, ipa-ad-trust-posix
+    type: str
+    choices: ["ipa-ad-trust-posix", "ipa-ad-trust"]
     default: ipa-ad-trust
     required: false
   two_way:
     description:
     - Establish bi-directional trust. By default trust is inbound one-way only.
+    type: bool
     default: false
     required: false
-    choices: ["true", "false"]
   external:
     description:
     - Establish external trust to a domain in another forest.
     - The trust is not transitive beyond the domain.
+    type: bool
     default: false
     required: false
-    choices: ["true", "false"]
   state:
     description: State to ensure
+    type: str
     default: present
-    required: true
+    required: false
     choices: ["present", "absent"]
 
 author:
-    - Rob Verduijn
+  - Rob Verduijn (@RobVerduijn)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -188,7 +202,7 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            realm=dict(type="str", default=None, required=True),
+            realm=dict(type="str", required=True),
             # state
             state=dict(type="str", default="present",
                        choices=["present", "absent"]),

plugins/modules/ipauser.py

@@ -3,7 +3,7 @@
 # Authors:
 #   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,50 +32,68 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipauser
-short description: Manage FreeIPA users
+short_description: Manage FreeIPA users
 description: Manage FreeIPA users
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The list of users (internally uid).
+    type: list
+    elements: str
     required: false
+    aliases: ["login"]
   users:
     description: The list of user dicts (internally uid).
-    options:
+    type: list
+    elements: dict
+    suboptions:
       name:
         description: The user (internally uid).
+        type: str
         required: true
+        aliases: ["login"]
       first:
-        description: The first name
+        description: The first name. Required if user does not exist.
+        type: str
         required: false
         aliases: ["givenname"]
       last:
-        description: The last name
+        description: The last name. Required if user doesnot exst.
+        type: str
         required: false
         aliases: ["sn"]
       fullname:
         description: The full name
+        type: str
         required: false
         aliases: ["cn"]
       displayname:
         description: The display name
+        type: str
         required: false
       initials:
         description: Initials
+        type: str
         required: false
       homedir:
         description: The home directory
+        type: str
         required: false
       shell:
         description: The login shell
+        type: str
         required: false
         aliases: ["loginshell"]
       email:
         description: List of email addresses
+        type: list
+        elements: str
         required: false
       principal:
         description: The kerberos principal
+        type: list
+        elements: str
         required: false
         aliases: ["principalname", "krbprincipalname"]
       principalexpiration:
@@ -84,6 +102,7 @@ options:
           (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,
           YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
           YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
+        type: str
         required: false
         aliases: ["krbprincipalexpiration"]
       passwordexpiration:
@@ -93,68 +112,94 @@ options:
           YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
           YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
           Only usable with IPA versions 4.7 and up.
+        type: str
         required: false
         aliases: ["krbpasswordexpiration"]
       password:
         description: The user password
+        type: str
         required: false
       random:
         description: Generate a random user password
         required: false
         type: bool
       uid:
-        description: The UID
+        description: User ID Number (system will assign one if not provided)
+        type: int
         required: false
         aliases: ["uidnumber"]
       gid:
-        description: The GID
+        description: Group ID Number
+        type: int
         required: false
         aliases: ["gidnumber"]
       city:
         description: City
+        type: str
         required: false
       userstate:
         description: State/Province
+        type: str
         required: false
         aliases: ["st"]
       postalcode:
         description: Postalcode/ZIP
+        type: str
         required: false
         aliases: ["zip"]
       phone:
         description: List of telephone numbers
+        type: list
+        elements: str
         required: false
         aliases: ["telephonenumber"]
       mobile:
         description: List of mobile telephone numbers
+        type: list
+        elements: str
         required: false
       pager:
         description: List of pager numbers
+        type: list
+        elements: str
         required: false
       fax:
         description: List of fax numbers
+        type: list
+        elements: str
         required: false
         aliases: ["facsimiletelephonenumber"]
       orgunit:
         description: Org. Unit
+        type: str
         required: false
+        aliases: ["ou"]
       title:
         description: The job title
+        type: str
         required: false
       manager:
         description: List of managers
+        type: list
+        elements: str
         required: false
       carlicense:
         description: List of car licenses
+        type: list
+        elements: str
         required: false
       sshpubkey:
         description: List of SSH public keys
         required: false
+        type: list
+        elements: str
         aliases: ["ipasshpubkey"]
       userauthtype:
         description:
           List of supported user authentication types
           Use empty string to reset userauthtype to the initial value.
+        type: list
+        elements: str
         choices: ['password', 'radius', 'otp', '']
         required: false
         aliases: ["ipauserauthtype"]
@@ -162,44 +207,65 @@ options:
         description:
         - User category
         - (semantics placed on this attribute are for local interpretation)
+        type: list
+        elements: str
         required: false
+        aliases: ["class"]
       radius:
         description: RADIUS proxy configuration
+        type: str
         required: false
+        aliases: ["ipatokenradiusconfiglink"]
       radiususer:
         description: RADIUS proxy username
+        type: str
         required: false
+        aliases: ["radiususername", "ipatokenradiususername"]
       departmentnumber:
         description: Department Number
+        type: list
+        elements: str
         required: false
       employeenumber:
         description: Employee Number
+        type: str
         required: false
       employeetype:
         description: Employee Type
+        type: str
         required: false
       preferredlanguage:
         description: Preferred Language
+        type: str
         required: false
       certificate:
         description: List of base-64 encoded user certificates
+        type: list
+        elements: str
         required: false
+        aliases: ["usercertificate"]
       certmapdata:
         description:
         - List of certificate mappings
         - Only usable with IPA versions 4.5 and up.
-        options:
+        type: list
+        elements: dict
+        suboptions:
           certificate:
             description: Base-64 encoded user certificate
+            type: str
             required: false
           issuer:
             description: Issuer of the certificate
+            type: str
             required: false
           subject:
             description: Subject of the certificate
+            type: str
             required: false
           data:
             description: Certmap data
+            type: str
             required: false
         required: false
       noprivate:
@@ -212,35 +278,46 @@ options:
         type: bool
     required: false
   first:
-    description: The first name
+    description: The first name. Required if user does not exist.
+    type: str
     required: false
     aliases: ["givenname"]
   last:
-    description: The last name
+    description: The last name. Required if user doesnot exst.
+    type: str
     required: false
     aliases: ["sn"]
   fullname:
     description: The full name
+    type: str
     required: false
     aliases: ["cn"]
   displayname:
     description: The display name
+    type: str
     required: false
   initials:
     description: Initials
+    type: str
     required: false
   homedir:
     description: The home directory
+    type: str
     required: false
   shell:
     description: The login shell
+    type: str
     required: false
     aliases: ["loginshell"]
   email:
     description: List of email addresses
+    type: list
+    elements: str
     required: false
   principal:
     description: The kerberos principal
+    type: list
+    elements: str
     required: false
     aliases: ["principalname", "krbprincipalname"]
   principalexpiration:
@@ -249,6 +326,7 @@ options:
       (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,
       YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
       YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
+    type: str
     required: false
     aliases: ["krbprincipalexpiration"]
   passwordexpiration:
@@ -258,68 +336,94 @@ options:
       YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
       YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
       Only usable with IPA versions 4.7 and up.
+    type: str
     required: false
     aliases: ["krbpasswordexpiration"]
   password:
     description: The user password
+    type: str
     required: false
   random:
     description: Generate a random user password
     required: false
     type: bool
   uid:
-    description: The UID
+    description: User ID Number (system will assign one if not provided)
+    type: int
     required: false
     aliases: ["uidnumber"]
   gid:
-    description: The GID
+    description: Group ID Number
+    type: int
     required: false
     aliases: ["gidnumber"]
   city:
     description: City
+    type: str
     required: false
   userstate:
     description: State/Province
+    type: str
     required: false
     aliases: ["st"]
   postalcode:
-    description: ZIP
+    description: Postalcode/ZIP
+    type: str
     required: false
     aliases: ["zip"]
   phone:
     description: List of telephone numbers
+    type: list
+    elements: str
     required: false
     aliases: ["telephonenumber"]
   mobile:
     description: List of mobile telephone numbers
+    type: list
+    elements: str
     required: false
   pager:
     description: List of pager numbers
+    type: list
+    elements: str
     required: false
   fax:
     description: List of fax numbers
+    type: list
+    elements: str
     required: false
     aliases: ["facsimiletelephonenumber"]
   orgunit:
     description: Org. Unit
+    type: str
     required: false
+    aliases: ["ou"]
   title:
     description: The job title
+    type: str
     required: false
   manager:
     description: List of managers
+    type: list
+    elements: str
     required: false
   carlicense:
     description: List of car licenses
+    type: list
+    elements: str
     required: false
   sshpubkey:
     description: List of SSH public keys
     required: false
+    type: list
+    elements: str
     aliases: ["ipasshpubkey"]
   userauthtype:
     description:
       List of supported user authentication types
       Use empty string to reset userauthtype to the initial value.
+    type: list
+    elements: str
     choices: ['password', 'radius', 'otp', '']
     required: false
     aliases: ["ipauserauthtype"]
@@ -327,44 +431,65 @@ options:
     description:
     - User category
     - (semantics placed on this attribute are for local interpretation)
+    type: list
+    elements: str
     required: false
+    aliases: ["class"]
   radius:
     description: RADIUS proxy configuration
+    type: str
     required: false
+    aliases: ["ipatokenradiusconfiglink"]
   radiususer:
     description: RADIUS proxy username
+    type: str
     required: false
+    aliases: ["radiususername", "ipatokenradiususername"]
   departmentnumber:
     description: Department Number
+    type: list
+    elements: str
     required: false
   employeenumber:
     description: Employee Number
+    type: str
     required: false
   employeetype:
     description: Employee Type
+    type: str
     required: false
   preferredlanguage:
     description: Preferred Language
+    type: str
     required: false
   certificate:
     description: List of base-64 encoded user certificates
+    type: list
+    elements: str
     required: false
+    aliases: ["usercertificate"]
   certmapdata:
     description:
     - List of certificate mappings
     - Only usable with IPA versions 4.5 and up.
-    options:
+    type: list
+    elements: dict
+    suboptions:
       certificate:
         description: Base-64 encoded user certificate
+        type: str
         required: false
       issuer:
         description: Issuer of the certificate
+        type: str
         required: false
       subject:
         description: Subject of the certificate
+        type: str
         required: false
       data:
         description: Certmap data
+        type: str
         required: false
     required: false
   noprivate:
@@ -378,24 +503,27 @@ options:
   preserve:
     description: Delete a user, keeping the entry available for future use
     required: false
+    type: bool
   update_password:
     description:
       Set password for a user in present state only on creation or always
-    default: "always"
+    type: str
     choices: ["always", "on_create"]
     required: false
   action:
     description: Work on user or member level
+    type: str
     default: "user"
     choices: ["member", "user"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent",
               "enabled", "disabled",
               "unlocked", "undeleted"]
 author:
-    - Thomas Woerner
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -420,6 +548,17 @@ EXAMPLES = """
     first: brain
     last: Acme
 
+# Create multiple users pinky and brain
+- ipauser:
+    ipaadmin_password: SomeADMINpassword
+    users:
+    - name: pinky
+      first: pinky
+      last: Acme
+    - name: brain
+      first: brain
+      last: Acme
+
 # Delete user pinky, but preserved
 - ipauser:
     ipaadmin_password: SomeADMINpassword
@@ -445,6 +584,14 @@ EXAMPLES = """
     name: pinky,brain
     state: enabled
 
+# Remove but preserve user pinky
+- ipauser:
+    ipaadmin_password: SomeADMINpassword
+    users:
+    - name: pinky
+    preserve: yes
+    state: absent
+
 # Remove user pinky and brain
 - ipauser:
     ipaadmin_password: SomeADMINpassword
@@ -457,17 +604,21 @@ user:
   description: User dict with random password
   returned: If random is yes and user did not exist or update_password is yes
   type: dict
-  options:
+  contains:
     randompassword:
       description: The generated random password
-      returned: If only one user is handled by the module
+      type: str
+      returned: |
+        If only one user is handled by the module without using users parameter
     name:
       description: The user name of the user that got a new random password
-      returned: If several users are handled by the module
+      returned: |
+        If several users are handled by the module with the users parameter
       type: dict
-      options:
+      contains:
         randompassword:
           description: The generated random password
+          type: str
           returned: always
 """
 
@@ -704,11 +855,11 @@ def gen_certmapdata_args(certmapdata):
 
 # pylint: disable=unused-argument
 def result_handler(module, result, command, name, args, errors, exit_args,
-                   one_name):
+                   single_user):
 
     if "random" in args and command in ["user_add", "user_mod"] \
        and "randompassword" in result["result"]:
-        if one_name:
+        if single_user:
             exit_args["randompassword"] = \
                 result["result"]["randompassword"]
         else:
@@ -731,7 +882,7 @@ def result_handler(module, result, command, name, args, errors, exit_args,
 
 
 # pylint: disable=unused-argument
-def exception_handler(module, ex, errors, exit_args, one_name):
+def exception_handler(module, ex, errors, exit_args, single_user):
     msg = str(ex)
     if "already contains" in msg \
        or "does not contain" in msg:
@@ -752,16 +903,16 @@ def main():
         initials=dict(type="str", default=None),
         homedir=dict(type="str", default=None),
         shell=dict(type="str", aliases=["loginshell"], default=None),
-        email=dict(type="list", default=None),
-        principal=dict(type="list", aliases=["principalname",
-                                             "krbprincipalname"],
+        email=dict(type="list", elements="str", default=None),
+        principal=dict(type="list", elements="str",
+                       aliases=["principalname", "krbprincipalname"],
                        default=None),
         principalexpiration=dict(type="str",
                                  aliases=["krbprincipalexpiration"],
                                  default=None),
         passwordexpiration=dict(type="str",
                                 aliases=["krbpasswordexpiration"],
-                                default=None),
+                                default=None, no_log=False),
         password=dict(type="str", default=None, no_log=True),
         random=dict(type='bool', default=None),
         uid=dict(type="int", aliases=["uidnumber"], default=None),
@@ -769,33 +920,34 @@ def main():
         city=dict(type="str", default=None),
         userstate=dict(type="str", aliases=["st"], default=None),
         postalcode=dict(type="str", aliases=["zip"], default=None),
-        phone=dict(type="list", aliases=["telephonenumber"], default=None),
-        mobile=dict(type="list", default=None),
-        pager=dict(type="list", default=None),
-        fax=dict(type="list", aliases=["facsimiletelephonenumber"],
-                 default=None),
+        phone=dict(type="list", elements="str", aliases=["telephonenumber"],
+                   default=None),
+        mobile=dict(type="list", elements="str", default=None),
+        pager=dict(type="list", elements="str", default=None),
+        fax=dict(type="list", elements="str",
+                 aliases=["facsimiletelephonenumber"], default=None),
         orgunit=dict(type="str", aliases=["ou"], default=None),
         title=dict(type="str", default=None),
-        manager=dict(type="list", default=None),
-        carlicense=dict(type="list", default=None),
-        sshpubkey=dict(type="list", aliases=["ipasshpubkey"],
+        manager=dict(type="list", elements="str", default=None),
+        carlicense=dict(type="list", elements="str", default=None),
+        sshpubkey=dict(type="list", elements="str", aliases=["ipasshpubkey"],
                        default=None),
-        userauthtype=dict(type='list', aliases=["ipauserauthtype"],
-                          default=None,
+        userauthtype=dict(type='list', elements="str",
+                          aliases=["ipauserauthtype"], default=None,
                           choices=['password', 'radius', 'otp', '']),
-        userclass=dict(type="list", aliases=["class"],
+        userclass=dict(type="list", elements="str", aliases=["class"],
                        default=None),
         radius=dict(type="str", aliases=["ipatokenradiusconfiglink"],
                     default=None),
         radiususer=dict(type="str", aliases=["radiususername",
                                              "ipatokenradiususername"],
                         default=None),
-        departmentnumber=dict(type="list", default=None),
+        departmentnumber=dict(type="list", elements="str", default=None),
         employeenumber=dict(type="str", default=None),
         employeetype=dict(type="str", default=None),
         preferredlanguage=dict(type="str", default=None),
-        certificate=dict(type="list", aliases=["usercertificate"],
-                         default=None),
+        certificate=dict(type="list", elements="str",
+                         aliases=["usercertificate"], default=None),
         certmapdata=dict(type="list", default=None,
                          options=dict(
                              # Here certificate is a simple string
@@ -812,14 +964,14 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # general
-            name=dict(type="list", aliases=["login"], default=None,
-                      required=False),
+            name=dict(type="list", elements="str", aliases=["login"],
+                      default=None, required=False),
             users=dict(type="list",
-                       aliases=["login"],
                        default=None,
                        options=dict(
                            # Here name is a simple string
-                           name=dict(type="str", required=True),
+                           name=dict(type="str", required=True,
+                                     aliases=["login"]),
                            # Add user specific parameters
                            **user_spec
                        ),
@@ -1380,7 +1532,7 @@ def main():
 
         changed = ansible_module.execute_ipa_commands(
             commands, result_handler, exception_handler,
-            exit_args=exit_args, one_name=len(names) == 1)
+            exit_args=exit_args, single_user=users is None)
 
     # Done
     ansible_module.exit_json(changed=changed, user=exit_args)

plugins/modules/ipavault.py

@@ -2,8 +2,9 @@
 
 # Authors:
 #   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#   Thomas Woerner <twoerner@redhat.com>
 #
-# Copyright (C) 2019 Red Hat
+# Copyright (C) 2019-2022 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -32,130 +33,142 @@ ANSIBLE_METADATA = {
 DOCUMENTATION = """
 ---
 module: ipavault
-short description: Manage vaults and secret vaults.
+short_description: Manage vaults and secret vaults.
 description: Manage vaults and secret vaults. KRA service must be enabled.
 extends_documentation_fragment:
   - ipamodule_base_docs
 options:
   name:
     description: The vault name
+    type: list
+    elements: str
     required: true
     aliases: ["cn"]
   description:
     description: The vault description
+    type: str
     required: false
-  public_key:
+  vault_public_key:
     description: Base64 encode public key.
     required: false
-    type: string
-    aliases: ["ipavaultpublickey", "vault_public_key"]
-  public_key_file:
+    type: str
+    aliases: ["ipavaultpublickey", "public_key", "new_public_key"]
+  vault_public_key_file:
     description: Path to file with public key.
     required: false
-    type: string
-    aliases: ["vault_public_key_file"]
+    type: str
+    aliases: ["public_key_file", "new_public_key_file"]
   private_key:
     description: Base64 encode private key.
     required: false
-    type: string
+    type: str
     aliases: ["ipavaultprivatekey", "vault_private_key"]
   private_key_file:
     description: Path to file with private key.
     required: false
-    type: string
+    type: str
     aliases: ["vault_private_key_file"]
   password:
     description: password to be used on symmetric vault.
     required: false
-    type: string
+    type: str
     aliases: ["ipavaultpassword", "vault_password", "old_password"]
   password_file:
     description: file with password to be used on symmetric vault.
     required: false
-    type: string
+    type: str
     aliases: ["vault_password_file", "old_password_file"]
   new_password:
     description: new password to be used on symmetric vault.
     required: false
-    type: string
+    type: str
   new_password_file:
     description: file with new password to be used on symmetric vault.
     required: false
-    type: string
-  salt:
+    type: str
+  vault_salt:
     description: Vault salt.
     required: false
-    type: list
-    aliases: ["ipavaultsalt", "vault_salt"]
+    type: str
+    aliases: ["ipavaultsalt", "salt"]
   vault_type:
     description: Vault types are based on security level.
-    required: true
-    default: symmetric
+    type: str
+    required: false
     choices: ["standard", "symmetric", "asymmetric"]
     aliases: ["ipavaulttype"]
   service:
     description: Any service can own one or more service vaults.
     required: false
-    type: list
+    type: str
   username:
     description: Any user can own one or more user vaults.
     required: false
-    type: string
+    type: str
     aliases: ["user"]
   shared:
     description: Vault is shared.
     required: false
-    type: boolean
+    type: bool
   users:
     description: Users that are member of the vault.
     required: false
     type: list
+    elements: str
   groups:
     description: Groups that are member of the vault.
     required: false
     type: list
+    elements: str
   owners:
     description: Users that are owners of the vault.
     required: false
     type: list
+    elements: str
     aliases: ["ownerusers"]
   ownergroups:
     description: Groups that are owners of the vault.
     required: false
     type: list
+    elements: str
   ownerservices:
     description: Services that are owners of the vault.
     required: false
     type: list
+    elements: str
   services:
     description: Services that are member of the container.
     required: false
     type: list
+    elements: str
   data:
     description: Data to be stored in the vault.
     required: false
-    type: string
+    type: str
     aliases: ["ipavaultdata", "vault_data"]
   in:
     description: Path to file with data to be stored in the vault.
     required: false
-    type: string
+    type: str
     aliases: ["datafile_in"]
   out:
     description: Path to file to store data retrieved from the vault.
     required: false
-    type: string
+    type: str
     aliases: ["datafile_out"]
   action:
     description: Work on vault or member level.
+    type: str
     default: vault
-    choices: ["vault", "member"]
+    choices: ["vault", "data", "member"]
   state:
     description: State to ensure
+    type: str
     default: present
     choices: ["present", "absent", "retrieved"]
 author:
-    - Rafael Jeffman
+  - Rafael Guterres Jeffman (@rjeffman)
+  - Thomas Woerner (@t-woerner)
 """
 
 EXAMPLES = """
@@ -307,11 +320,11 @@ vault:
   description: Vault dict with archived data.
   returned: If state is `retrieved`.
   type: dict
-  options:
+  contains:
     data:
       description: The vault data.
       returned: always
-      type: string
+      type: str
 """
 
 import os
@@ -525,7 +538,7 @@ def check_encryption_params(  # pylint: disable=unused-argument
 
         if (
             salt is not None
-            and not(
+            and not (
                 any([password, password_file])
                 and any([new_password, new_password_file])
             )
@@ -587,7 +600,7 @@ def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
             # generalgroups
-            name=dict(type="list", aliases=["cn"], default=None,
+            name=dict(type="list", elements="str", aliases=["cn"],
                       required=True),
 
             description=dict(required=False, type="str", default=None),
@@ -614,13 +627,19 @@ def main():
             service=dict(type="str", required=False, default=None),
             shared=dict(type="bool", required=False, default=None),
 
-            users=dict(required=False, type='list', default=None),
-            groups=dict(required=False, type='list', default=None),
-            services=dict(required=False, type='list', default=None),
-            owners=dict(required=False, type='list', default=None,
+            users=dict(required=False, type="list", elements="str",
+                       default=None),
+            groups=dict(required=False, type="list", elements="str",
+                        default=None),
+            services=dict(required=False, type="list", elements="str",
+                          default=None),
+            owners=dict(required=False, type="list", elements="str",
+                        default=None,
                         aliases=['ownerusers']),
-            ownergroups=dict(required=False, type='list', default=None),
-            ownerservices=dict(required=False, type='list', default=None),
+            ownergroups=dict(required=False, type="list", elements="str",
+                             default=None),
+            ownerservices=dict(required=False, type="list", elements="str",
+                               default=None),
             vault_data=dict(type="str", required=False, default=None,
                             no_log=True, aliases=['ipavaultdata', 'data']),
             datafile_in=dict(type="str", required=False, default=None,

requirements-dev.txt

@@ -1,12 +1,10 @@
 -r requirements-tests.txt
 ipdb==0.13.4
-pre-commit
-flake8==4.0.1
-flake8-bugbear
-pylint==2.13.7
+pre-commit==2.20.0
+flake8==5.0.3
+flake8-bugbear==22.10.27
+pylint==2.14.4
+wrapt == 1.14.0
 pydocstyle==6.0.0
-yamllint==1.26.3
-ansible-lint==5.3.2
-dnspython==2.2.0
-netaddr==0.8.0
-gssapi==1.7.2
+yamllint==1.28.0
+ansible-lint==6.6.1

requirements-docker.yml

@@ -0,0 +1,3 @@
+---
+collections:
+  - name: community.docker

requirements-podman.yml

@@ -0,0 +1,3 @@
+---
+collections:
+  - name: containers.podman